b'                       EXECUTIVE SUMMARY\n\n\n     In June 1997, the Federal Communications Commission (FCC)\nOffice of Inspector General (OIG) established a task order with\nTWM Associates, Inc. to conduct a special review of the\nCommission\xe2\x80\x99s Collection System. The objective of this review was\nto examine the current operational system, examine on-going\nmodifications, and recommend alternative products. To accomplish\nthese objectives, the review team conducted interviews with\nCommission and contract support staff; evaluated Collection\nSystem documentation and computer code; conducted research on\nalternative software solutions; and conducted a benchmarking\neffort of other government agencies.\n\n     During our assessment of the current Collection System, the\nreview team made one-hundred twenty-eight (128) observations in\nthe areas of: internal controls; audit trails; programming\nsupport; database support; security; banking related matters;\nbusiness process improvements; policies and procedures, and\nsystems development lifecycle issues. Of the one hundred twenty-\neight (128) observations, forty-six (46) are considered high and\nmedium exposure items that should be addressed immediately.\nSignificant high exposure observations are as follows:\n\n    \xe2\x80\xa2    As part of a data quality review initiated by the\n         Wireless Telecommunications Bureau (WTB), the\n         collection database was loaded with data from a paradox\n         file containing modified data elements. This upload\n         was performed without a proper audit trail, including\n         evidence supporting individual changes, the deletion of\n         individual transactions, and changes made to original\n         source documents.\n\n    \xe2\x80\xa2    The collections system does not have functionality to\n         allow for an audit trail when changes (including data\n         element changes, insertions, and deletions) are made to\n         the database. An audit trail is a core requirement of\n         any financial accounting system.\n\n    \xe2\x80\xa2    The collection system does not record and track all\n         collection-related transactions. Although some\n         collection transaction information has been provided to\n         contractor support personnel for loading into the\n         collection database, at the time this review was\n         completed, this information load had not yet been\n         performed.\n\n    \xe2\x80\xa2    The Commission has not established separate operating\n         environments for system development/maintenance work\n         and production. In addition, contract support staff\n         responsible for system enhancements and maintenance are\n\x0c          also responsible for system operation.\n\n     In addition, the review team identified high exposure\nobservations related to systems development and systems security\nissues. A detailed description of all one hundred twenty-eight\n(128) observations with accompanying recommendations is included\nin Section E of this report.\n\n      During early discussions with management from the Wireless\nTelecommunications Bureau (WTB) and the Office of Managing\nDirector (OMD), the OIG became aware of discussions about a\nparallel collection system review effort being considered by\nthese organizations. After review of the proposed project, the\nOIG agreed to establish an additional task under their existing\ntask order with TWM. The objective of the additional task was to\nassess the integrity of the data contained in the Collection\nSystem for completeness, validity, accuracy, and proper\nrecording. To conduct this portion of the review, the OIG worked\nwith WTB and OMD staff to develop an appropriate statement of\nwork to conduct an "Agreed Upon Procedures" review. The OIG then\nrequested that TWM solicit bids from "Big Six" accounting firms\nto establish a subcontract with TWM to perform the procedures.\nAfter discussion with FCC management, Ernst & Young, L.L.P.\n(hereafter referred to as "E&Y") was selected to complete the\nwork.\n\n     On April 24, 1998, E&Y issued a report, entitled "Collection\nSystem Agreed Upon Procedures Report," summarizing the results of\ntheir review. In this report, E&Y identified a multitude of data\nquality issues within the Collection Database. Of the one\nthousand six-hundred ninety-five (1695) transactions selected for\nreview, E&Y identified the following conditions:\n\n     \xe2\x80\xa2    Source documents were not provided for fifty-two (52)\n          of the selected transactions.\n\n     \xe2\x80\xa2    Data contained in the collections database differed\n          from source documents for seven-hundred eleven (711)\n          items representing forty-two percent (711/1695 = 42%)\n          of selected transactions.\n\n     \xe2\x80\xa2    Of the seven-hundred eleven (711) transactions, thirty-\n          three (33) transactions, with a total dollar value of\n          approximately $39 million, related to discrepancies in\n          monetary amounts or instances where no check or wire\n          slip could be located to substantiate the transaction.\n          Of these, only one was an auction-related transaction.\n\n     Although E&Y successfully completed the engagement, the\nreview team experienced significant difficulties. The process of\ntying supporting documents to data elements in the collections\ndatabase proved to be time consuming as extra analysis was\n                                2\n\x0crequired to determine how to tie the items together. The results\nof the E&Y data integrity review are discussed in summary in\nSection F of this document and the detailed report is included as\nAppendix A. As part of the review process, E&Y requested that\nFCC management prepare a representation memorandum for the data\nintegrity portion of the review. In this document, FCC\nmanagement made representations regarding the integrity of data\nin the collection system, the conduct of the review, the\ncondition of internal controls, and compliance with laws and\nregulations. A copy of the representation letter is included as\nAppendix B of this report.\n\n     On December 31, 1997, Chairman Kennard forwarded the FY 1997\nFederal Managers\' Financial Integrity Act (FMFIA) Annual Report\nfor the Federal Communications Commission to President Clinton.\nIn the cover memorandum forwarding that report, the Chairman\nrecognized a material weakness and material non-conformance\ndealing with the "integration of the Commission\'s billings and\ncollections system with the central accounting system." The\nChairman went on to state that "(b)ecause of the material non-\nconformance of our automated system, we must rely more on manual\nthan automated processes" but that "we do not have evidence at\nthis time to believe that the actual management integrity of the\nCommission is materially weakened by reliance on manual\nprocessing." It should be noted that the scope of this review\ndid not included an assessment of the manual controls associated\nwith the Commission\'s collection process and that we are not,\ntherefore, expressing an opinion on the adequacy of those\ncontrols. A copy of the cover memorandum is included as Appendix\nE in this report.\n\n     The Commission\'s Collection System is a financial\napplication. As a financial application, it should adhere to\nstrong internal controls, security controls, and management\ncontrols in accordance with OMB circulars and FCC Security\nDirectives. The one hundred twenty-eight (128) observations and\nrecommendations contained in this report would indicate the\nCollection System is not in compliance with OMB, or the FCC\nSecurity Directives. The Collection System as it exists at the\ntime of this review, does not evidence all payment transactions,\ndoes not provide clear audit trails for changes made to payment\ntransactions, does not provide for an adequate level of logical\ninternal controls, does not reconcile to the General Ledger, and\nsupports less than thirty percent (30%) of desired functionality.\n\n     Our review further revealed that it would be cost\nprohibitive to bring the current in-house developed Collection\nSystem to an acceptable level of functionality in compliance with\nOMB and FCC Security Directives. Therefore, it is our opinion\nthat it is in the best interest of the Commission that a COTS\nproduct should be evaluated, selected, and implemented. The\nexisting Collection System should be minimally maintained during\nthe period the COTS product is evaluated, selected, and\n                                3\n\x0cimplemented. Once the COTS product is implemented, the existing\nCollection System should be phased out.\n\n     On June 9, 1998, the OIG issued a draft report summarizing\nthe results of this review. On September 8, 1998, the OMD and\nWTB issued a joint response to the draft report. In their\nresponse, they indicated concurrence with one hundred twenty-six\n(126) and non-concurrence with two (2) of the one hundred twenty-\neight (128) observations and recommendations. In addition, the\nresponse indicated concurrence with the data integrity portion of\nthe review conducted by E&Y and summarized in Section F of this\nreport. We have incorporated each OMD/WTB response by\nobservation into the body of this report. In those cases where\nit was appropriate, we have provided comments to the OMD/WTB\nresponse. In addition, we have attached a complete copy of the\nresponse as Appendix C to the report.\n\n\n\n\n                                4\n\x0c                            ACKNOWLEDGMENT\n\n\n     The Review team acknowledges the contributions of all that\nwere involved with the Special Review of the Collection System.\nTheir efforts were highly professional and contributed to the\nsuccessful completion of this effort.\n\n            NAME                       ORGANIZATION/COMPANY\n\n     Mr.   Tom Holleran                      FCC, FOD\n     Ms.   Linda King Friedman               FCC, FOD\n     Ms.   Regina Dorsey                     FCC, BCB\n     Mr.   Linwood Jenkins                   FCC, BCB\n     Mr.   John Bopp                         FCC, Wireless\n     Mr.   Andy Cox                          FCC, Wireless/OMD\n     Ms.   Rachel Kazan                      FCC, Wireless\n     Mr.   Bob Snow                          FCC, OMD ITC\n     Ms.   Robbie Burroughs                  Computech, Inc.\n     Ms.   Cathy Ganneck                     Computech, Inc.\n     Mr.   Sam Orlando                       Computech, Inc.\n\n\n\n\n                                  5\n\x0c                        TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY...............................................1\n\nACKNOWLEDGMENT..................................................5\n\nA. CONCEPT OF OPERATIONS........................................7\n\n     1.   Introduction                                 7\n     2.   Systemic Functions                           8\n     3.   Site Location                                8\nB. PURPOSE OF THE SPECIAL REVIEW................................8\n\nC. REVIEW TEAM..................................................8\n\nD. SPECIAL REVIEW APPROACH......................................9\n\n     1.   Phase I Collection System Evaluation         9\n     2.   Phase II Data Integrity Review               14\nE. DETAILED RECOMMENDATIONS PHASE I............................15\n\nF. DETAILED RECOMMENDATIONS PHASE II...........................65\n\nG. OVERALL CONCLUSIONS.........................................66\n\n     Appendix A:    Ernst & Young L.L.P. Report entitled\n                    "Collection System Agreed Upon Procedures\n                    Report," dated April 24, 1998\n\n     Appendix B:    Representation Letter from FCC Management to\n                    Ernst & Young L.L.P.\n\n     Appendix C:    Memorandum, dated September 8, 1998, from the\n                    Managing Director and Chief, Wireless\n                    Telecommunications Bureau entitled "Responses\n                    to the Draft Special Review Report No. 97-21"\n\n     Appendix D:    Selected Citations from Office of Management\n                    and Budget (OMB) Circulars and FCC Policies\n\n     Appendix E:    Memorandum, dated December 31, 1997, from\n                    Chairman Kennard to President Clinton\n                    forwarding the FY 1997 FMFIA Annual Report\n                    for the Federal Communications Commission\n\n\n                                6\n\x0cA.   CONCEPT OF OPERATIONS\n\n     The FCC was originally established by the Communications Act\nof 1934. In February 1996, President Clinton signed into law the\nTelecommunications Act of 1996 that contained the first major\noverhaul of the telecommunications rules and regulations in over\n60 years. The FCC is an independent United States government\nagency, directly responsible to Congress. The primary mission of\nthe FCC is to promote competition among the five lanes of the\ninformation super highway: broadcast, cable, wire, wireless, and\nsatellite. The FCC has Bureaus that represent each lane, plus\nthe Compliance and Information Bureau.\n\n     The Commission\'s Collection System began as a tracking\nsystem on a Honeywell mainframe. The purpose of the system was\nto keep record of application and regulatory fees paid into\nCommission bank accounts. The manual processing that kept\nrecords of the regulatory fee payments was converted into\ncomputer processes to keep records of the regulatory fees. The\nCommission personnel were familiar with the mainframe technology,\nthe manual processes, and were successful in converting those\nmanual processes into computer processes.\n\n     On August 10, 1993, the Omnibus Budget Reconciliation Act of\n1993 was amended to add a new section 309(j) to the\nCommunications Act of 1934. This amendment gave the FCC express\nauthority to employ competitive bidding procedures to distribute\nlicenses for spectrum services. In order to track the payments\nas a result of winning bids, the FCC had to develop systems to\nsupport the auction process. The FCC established a reimbursable\nagreement with the Department of Justice (DOJ). Under this\nagreement, the FCC contracted with DynCorp to modify the existing\ncollection system and convert from a mainframe to a client-server\noperating environment. After much disappointment, the FCC then\nmoved to contract with Computech to build the Collection System.\n Since 1994, well over $4 million dollars have been spent on the\ndevelopment of the Collection System.\n\n1.   Introduction\n\n     a.   Purpose. The purpose    of this special review was to\nassess the existing and planned   abilities of the Collection\nSystem to meet FCC requirements   and recommend alternate\ncommercial-off-the-shelf (COTS)   solutions. The review was\nintended to be a quick study of   the Collection System to quickly\nprovide feedback on areas where   improvements can be made.\n\n     b. Requirements:    The criteria used for this review were\nOffice of Management and Budget (OMB) Circulars and Commission\npolicies. These criteria included:\n\n     Office of Management and Budget (OMB) Circular A-130,\n     entitled "Management of Federal Information Resources," as\n                                7\n\x0c     revised February 8, 1996.\n\n     Office of Management and Budget (OMB) Circular A-123,\n     entitled "Management Accountability and Control," as revised\n     June 21, 1995.\n\n     Office of Management and Budget (OMB) Circular A-127,\n     entitled "Financial Management Systems," as revised July 23,\n     1993.\n\n     Federal Communications Commission (FCC) Directive FCCINST\n     1479.1, entitled "FCC Computer Security Program," dated\n     November 30, 1995.\n\n2.   Systemic Functions\n\n     The FCC\'s Collection System was the specific application\nfocused on during this special review.\n\n3.   Site Location\n\n     Work on this special review was conducted primarily at the\nFCC\xe2\x80\x99s headquarters facility located at 1919 M Street in\nWashington, D.C. For the purpose of understanding the full\ncollection cycle, interviews were also held with fee collection\npersonnel in Gettysburg, Pennsylvania and with Mellon Bank staff\nin Pittsburgh, Pennsylvania.\nB.   PURPOSE OF THE SPECIAL REVIEW\n\n     The purpose of the special review was to examine the current\noperational collection system and assess its ability to meet\nrequirements; assess on going and planned system\ndevelopment/modification efforts and determine their effect on\nsystem performance following implementation; and develop\nrecommended system performance solutions including\nidentification/assessment of commercially available products. In\naddition, following discussions with FCC management, the review\nwas modified to include an assessment of the integrity of data\ncontained within the Collection System to ascertain whether\nrecorded transactions are complete, valid, accurate, properly\nclassified, properly recorded, and recorded in a timely fashion.\nThe scope of this special review did not extend to security,\neither physical or logical, outside of the Collection System.\nThose are separate reviews to be conducted at another time,\noutside the scope of this review.\nC.   REVIEW TEAM\n\n     The Review Team included representatives from the FCC Office\nof Inspector General (OIG) and TWM Associates, Inc. The\nfollowing is a list of individuals who participated in the\nreview.\n                                8\n\x0c     Thomas Bennett,     FCC, OIG                 Team   Member\n     Paul Brachfeld,     FCC, OIG                 Team   Member\n     Thomas Housman,     TWM Associates,   Inc.   Team   Member\n     Keith Meins,        TWM Associates,   Inc.   Team   Member\n     Sanjay Shantaram,   TWM Associates,   Inc.   Team   Member\n     Thomas Welch,       TWM Associates,   Inc.   Team   Member\n     Bruce Wilkins,      TWM Associates,   Inc.   Team   Member\n     Lisa Wilkins,       TWM Associates,   Inc.   Team   Member\n     Nicole Williams,    TWM Associates,   Inc.   Team   Member\nD.   SPECIAL REVIEW APPROACH\n\n     The Special Review Approach was based on a two-phased\napproach. Phase I was the evaluation of the Collection System.\nPhase II was the data integrity review performed by E&Y.\n1.   Phase I Collection System Evaluation\n\n     The following provides an outline of the procedures\nperformed in order to accomplish the objectives of Phase I of the\nCollection System Review. OMB and FCC guidance were used to\nassess the Collection System and to develop observations and\nrecommendations. The procedures performed included a look at the\nCollection System Cycle, review of program coding (shell scripts,\nstored procedures, etc.), review of the data elements, review of\nprogram documents (i.e., contractor support Statement of Work,\nQuality Assurance plans, Project plans, etc.), review of Sybase\nsecurity and other pertinent procedures.\nOMB Circular Guidance\n\nOMB Circulars A-123, A-127, and A-130 provide guidance to Federal\nagencies as to how financial applications should be developed,\nimplemented, and maintained. Essentially, these Circulars\nestablish that development of financial applications should\ninclude: Effective internal controls, proper System Development\nLife Cycle (SDLC) methodologies and cost/benefit analysis,\nmovement towards COTS, and maintenance of adequate audit trails\nand transactional records to support the general ledger. Several\nspecific OMB Circular citations were used as guidance in\ndeveloping the detailed observations and recommendations during\nthe evaluation of the Collection System. The specific citations\nare included in Appendix D. The detailed recommendations refer\nto OMB Guidance as a whole and are not tied to specific\ncitations. The OMB citations are included in the appendix for\nease of reference.\nProcedures Performed\n\nCycle vs. System. It became evident early in the review that not\nall users of the Collection System viewed the application in the\nsame manner. Most users and personnel interviewed viewed the\n                                9\n\x0capplication as just a tracking mechanism. Others viewed the\nsystem as a financial application. Through our discussions it\nbecame apparent that the Collection System entailed more than\njust a tracking mechanism and was actually supposed to be a part\nof a larger Collection Cycle vs. a Collection System. The\nCollection Cycle consists of: gathering banking information,\napplication of banking transactions at both the accounting sub-\nledgers and general ledgers, collection on past due payments,\nanalysis of collection activities, bank account transaction\nrecording in the general ledger, reconciliation of general ledger\naccounts to bank statements, and reconciliation of accounts\nreceivable sub-ledger to the general ledger accounts.\n\nShell Scripts. Powerbuilder scripts, SQL, and C Programs Review.\nShells Scripts, SQL, Powerbuilder scripts, and C Programs are\nused in conjunction with the Sybase Stored Procedures to schedule\nbatch jobs and perform other programming needs. The scripts and\nprograms were reviewed to determine completeness,\nstandardization, and programming quality.\n\nStored Procedures. The Collection System is built using Sybase\nSystem 11. Sybase System 11 uses Stored Procedures that allow\nfor business or application processing logic to be placed within\nSybase and be executed on the main computer. The stored\nprocedures were reviewed to identify and evaluate the programming\nstandards used and the quality of programming contained within\nthe stored procedures.\n\nLog files. Logs within the Collection System environment are\nused to keep records of programs that are started, completed, and\nerrors that occur during the process. Logs are only written to\nif the program has been programmed to do so. The log files were\nreviewed to determine if there was any indication of problems,\nsignificant amounts of stops and restarts, and potential error\ntrending.\n\nData Elements. Data dictionaries contain the definitions of all\nthe data elements used in the database. Data dictionaries\nusually contain a description of the field, the format of the\nfield, and the date last altered. The Data Dictionary was\nreviewed on line for complete data elements, professional\nlanguage describing the data elements, and for completeness in\nthe descriptions.\n\nDatabase Entities. Data entities contain the definitions of all\nthe data elements used in a given table or entity. Data entity\nrelationships usually contain a description of the entity, the\nfields included in the entity, the primary key or field, and the\ndate last altered. The Data Entities were reviewed on line for\ncomplete descriptions, professional language, and for\nnormalization.\n\nEvents Lists.   Library Lists, and Database Fill.   The Events List\n                                 10\n\x0cis used as a basis for determining the modules to be created for\nthe application. The Events List was reviewed to determine the\nautomation of manual processes and inclusion of user requirements\nand functionality. The Library List is the list of all\nproduction source code for the Collection System. The Library\nList was reviewed to determine extent of standard naming\nconventions and security access. Data Fill consists of the\nplacing of spaces or zeroes into a data record for further input\ninto the database at a later point in time. The Data Fills were\nreviewed to determine the extent of use of such items.\n\nNarrative Descriptions. The developers of the Collection System\nprepare narrative Descriptions. The Narratives describe the\nsteps and procedures utilized by various user groups to assist\nthem in the completion of the transactions. The Narratives were\nreviewed to determine the completeness and the logical flow of\nthe narratives made sense to an unfamiliar user.\n\nUser Manual. The user manual is usually indicative of how the\nuser maneuvers through an application. The Team performed a\ncursory review of the User Manual to gain an understanding of the\nprogrammed application from a user perspective.\n\nProject Plans and Status Updates. Project plans are typically\ndocuments used to indicate the overall objective of the project,\ndefine the project maintainability, use of security,\nexpandability, etc. Interviews were conducted and documents were\ngathered and evaluated for completeness of content with respect\nto a project plan. Status Reports are typically documents used\nto indicate the individual tasks being worked on by the\ndevelopment team and agreed to by the users for whom the\ndevelopment effort is being performed. Status reports typically\ninclude a list of action items, who is responsible for those\nitems, the length of time for completing the items, and a source\nor mapping to user requirements for items being worked on.\nStatus reports are usually the result of status meetings, which\nare held on a periodic basis. These were reviewed to determine\ncompleteness of content.\n\nSecurity. To review the security over the Collection System\napplication, several areas were considered. The first was the\nuse of the C or Unix scripts. Second, Sybase access control was\nreviewed. Third, Collection System application tables access was\nreviewed. Fourth, Sybase Stored Procedures (i.e., programs) were\nreviewed. There were no reviews performed over the operating\nsystem security or manual controls over spreadsheet applications\nor PCs.\n\nUser Meetings. Meetings were held with various key personnel\ninvolved in the historical development of the Collection System\nor actively involved in the on-going development or operations of\nthe Collection System. The purpose of these meetings was to\nascertain the development environment, potential functional\n                                11\n\x0crequirements, and to develop an understanding of the development\nprocess used historically and in the present time. Users were\nconsidered to be those in development, database maintenance,\nFinancial Operations Division (FOD), Billing and Collections\nBranch (BCB), Wireless, Information Technology Center (ITC), and\nAcquisitions.\n\nBureau and Office Meetings. Meetings were held with other\nBureaus and Offices within the Commission who use the Collection\nSystem. The purpose of these meetings was to ascertain the\npotential functional requirements, and to develop an\nunderstanding of how the department makes use of the information\ncontained in the Collection System. Bureaus and Offices included\nGettysburg Fee Processing, International, Common Carrier, and the\nOffice of Engineering and Technology.\n\nBank and Lockbox Processing. FCC primarily uses Mellon Bank to\nreceive its monies collected in terms of dollars. First Chicago\nBank is also used to collect monies, primarily for the Fines &\nForfeitures. Mellon Bank transmits banking information in an\nAFCC specific layout on a daily basis and then overnights the\npayments processed in hardcopy to the FCC. First Chicago does\nnot transmit electronically, but overnights the payments\nprocessed in hardcopy to the FCC. Bank processing procedures\nwere discussed with FCC personnel and with Mellon Bank\nrepresentatives. The Mellon Bank lockbox operations and file\nlayouts for bank transmission of bank account activity to FCC\nwere reviewed. Pricing information and procedures were compared\nto other banks providing lockbox processing.\n\nSteering Committee. As part of the Collection System Review, FCC\nManagement requested that the OIG chair a Collection Systems\nSteering Committee comprised of representatives from the\nFinancial Operations Division (FOD), the Auctions Division of the\nWireless Telecommunications Bureau (WTB), and the Information\nTechnology Center (ITC). In addition, the Contracting Officers\nTechnical Representative (COTR) for the existing collection\nsystems development and maintenance task orders was invited to\nparticipate in steering committee meetings. The Steering\nCommittee was established in August 1997. The Steering\nCommittee: prepared a mission statement which was reviewed and\napproved by FCC Management; provided the working traits expected\nfor personnel working on the Collection System; prepared the\nStatement of Work for the Big Six Data Integrity Review;\nrecommended to FCC management the selection of the Big Six firm;\nand assisted in Collection System Review status presentations to\nFCC management. In addition, the Steering Committee kept abreast\nof the status of the Data Integrity Review by E&Y and reviewed\nthe functionality requirements prepared as part of the Collection\nSystem Review. The Steering Committee also prepared the Position\nDescription for the Project Manager to be hired for the\nCollection System migration to COTS.\n\n                               12\n\x0cFunctional Requirements Analysis. The approach was to establish\na generic model (which could be used in any environment) and then\nincorporate the FCC specific requirements into the model. This\nwas a preliminary review since, presumably, the incoming Project\nManager will perform a full functional requirement analysis.\nInterviews with users and documentation they provided were used\nas the basis for the FCC requirements or desired functions.\nDocumentation was then obtained for selected COTS packages. From\nthe FCC requirements and COTS documentation, the functionality\nmatrix was built and indicated a 1 if the function was present in\nthe software (COTS or existing Collection System) or a 0 if the\nfunction was not present in the software. Once the model was\nestablished, the model was reviewed with the members of the\nSteering Committee. Weighting of the functional requirements was\nbased on deemed importance to the users of the Collection System,\nwhich was reviewed with Steering Committee members and adjusted\naccordingly. The model was then used to compare the COTS\npackages to the existing Collection System for percentage of\nfunctionality incorporated in the packages.\n\nBenchmarking. In order to determine the trend of accounting\nsoftware application development within the government agency\nenvironment, it was deemed necessary to talk with other\ngovernment agencies. The talks with other government agencies\nwere to determine what type of software is used for their core\naccounting applications. The type of software refers to\nCommercial Off-The-Shelf (COTS) or in-house Developed (IHD).\nCore accounting applications are deemed as General Ledger,\nBudget, Funds Control, Accounts Payable, Accounts Receivable, and\nCollections.\n\nCOTS Packages. To determine what COTS packages should be used\nfor the functional requirement analysis, research was conducted\nto determine the most complete and current COTS packages out in\nthe financial marketplace. Five COTS packages were selected that\nentailed accounts receivable processes and that market the\nFederal Government and are used by other Government Agencies. In\naddition, two Treasury Workstation packages were also selected to\nbe included in the evaluation process since Treasury Workstations\ntypically perform the front-end processing of a Collection System\nprocess. Vendors for each COTS package were contacted to obtain\ndetails about each product and pricing information. A\npreliminary cost analysis was performed based on the available\ninformation. The costs reflect ballpark figures for the purpose\nof demonstrating costs of COTS packages relative to the existing\nCollection System.\n\nSystem Development Methodology Analysis. The Team was requested\nto review the existing Collection System Developers Quality\nAssurance (QA) and System Development Plans. From those plans,\nthe Developers were queried as to how they adhered to their own\nQA and System Development Plans, including milestones and\ndeliverables.\n                                13\n\x0c2.   Phase II Data Integrity Review\n\n     This phase engaged E&Y as a subcontractor to TWM Associates,\nInc. to assist the FCC in testing certain elements in the\ncollection database. The testing was part of an effort to gauge\nnext steps in implementing a new system and assessing the data\nincluded in the existing database. The procedures performed were\noutlined in the statement of work, and were further discussed and\nrefined in subsequent meetings between FCC representatives, FCC\nOIG, TWM, and the Collection System Steering Committee.\n\n     The testing requested consisted principally of utilizing\ncomputer-assisted techniques to select a sample of transactions\nfor testing of information in the database extract provided\nagainst source data.\n     For each transaction selected in the sample, E&Y agreed the\ndata included in the collection file to supporting documentation.\nThis included tracing transactions to:\n\n     \xe2\x80\xa2    Files containing Form 159 remittance documents or\n          equivalent;\n\n     \xe2\x80\xa2    Spreadsheets used outside of the collection system to\n          track up-front auction payments;\n\n     \xe2\x80\xa2    Bank statements to agree transactions to wire transfer\n          evidence (wire slips);\n\n     \xe2\x80\xa2    Auction Installment Payment (AIP) report extracts to\n          substantiate Automated Clearinghouse (ACH) evidence;\n\n     \xe2\x80\xa2    Refund spreadsheets to agree transactions netting to\n          zero; and\n\n     \xe2\x80\xa2    Refund extracts from the National Finance Center (NFC)\n          and the Federal Financial System (FFS).\n\n     Specific data elements included date payment received, payor\nname and address, amount, FCC account number and fee control\nnumber, payment type code, and payment method.\n\n     For certain types of transactions, including wire transfers\nbetween FCC bank accounts, residual payments from successful\nauction bidders, and transactions related to the Client Initiated\nPayment Program, E&Y agreed a subset of data elements between the\ncollection database and the supporting documentation. In these\ncases, the remaining data elements are not required on the\ndocumentation received. For example in their Agreed-Upon-\nProcedures report, E&Y reported that:\n                               14\n\x0c     \xe2\x80\xa2    For wire transfers between the lockbox provider and the\n          FCC, they agreed the payor name and the amount from the\n          wire slip to the collection database.\n\n     \xe2\x80\xa2    For residual payments from successful auction bidders,\n          they agreed the FCC account code, the Payor name,\n          address, and amount from the collection database to the\n          appropriate Auction spreadsheet and agreed the\n          spreadsheet total to the Lockbox Provider Bank\n          Statement.\n\n     \xe2\x80\xa2    For the Client Initiated Payment Program, they agreed\n          payment name and amount from the Lockbox Providers AIP\n          report.\n\n      In addition, E&Y reviewed the document files for those\ntransactions selected and documented any refund activity noted in\nthe files provided. E&Y traced the refund activity to two data\nfiles provided by FCC Office of Managing Director:(1) general\nledger accounts payable extracts files including refund activity\nfor the related period; and (2) a paradox file of all\ntransactions reloaded into the collection system in April/May\n1997.\n\n     Finally, during the review of the collection files, E&Y\nidentified ninety-two (92) Form 159 FCC Remittance Advise\ndocuments identifying amounts greater than $100,000 that were not\ndirectly traceable to the sample. Additional procedures were\nidentified and performed to determine if the amounts represented\nvalid transactions that should be included in the collection\ndatabase. These procedures included:\n\n     \xe2\x80\xa2    Tracing those items representing Auction upfront\n          payments and refunds to the appropriate Auction\n          Spreadsheet,\n\n     \xe2\x80\xa2    Agreeing transactions to supporting documentation that\n          a name change had taken place and the item, under the\n          new name, was represented within the sample, and\n\n     \xe2\x80\xa2    Agreeing the summarization of two (2) Form 159s to a\n          summarized transaction within the sample.\nE.   DETAILED RECOMMENDATIONS PHASE I\n\n     Following are the detailed observations noted during Phase\nI. The observations are grouped by classification. The\nclassifications assigned were:\n\n     A    Audit trail controls issues.\n                               15\n\x0c     B    Banking related matters to improve efficiency or costs.\n     C    Contracting matters.\n     D    Database issues.\n     I    Internal control issues affecting segregation of duties\n          and compromise of controls.\n     P    Programming related matters.\n     PI   Process improvement matters.\n     PO   Policy and procedures issues.\n     S    Security issues.\n     SDLC Life Cycle development issues.\n\n     If an observation represents more than one classification,\nit is shown in the first occurrence of the classification only.\nWhere applicable, references to other classification categories\nare noted in parenthesis at the end of the observation.\n\n     The individual observations and recommendations have also\nbeen assigned an exposure rating of High, Medium, or Low. The\nrating of High is assigned when it is perceived the segregation\nof duties is compromised and/or the security risk is high enough\nto possibly cause on-going operational concerns or business\ndisruptions. The rating of Medium is assigned when it is\nperceived the segregation of duties may be compromised and/or\nsecurity risk is medium to cause on-going operational annoyances,\nbut would not cause a business disruption in the event of an\noccurrence. The rating of Low is assigned when it is perceived\nthe segregation of duties could be compromised and/or security\nrisk is low to cause on-going operational efficiency issues, but\ndoes not cause a business disruption in the event of an\noccurrence. The category of each observation (i.e., high,\nmedium, or low) is identified at the end of each observation\nenclosed in brackets.\n\nAudit Trail Control Issues\n\nAudit trail controls determine the ability of the information\nbeing processed to be traceable throughout the cycle of the data\nused. From the introduction of the data through the recording of\nthe data to the reporting of the data, controls are present to\nensure the data retains its\' integrity. In addition, processes\n(manual or computerized) which controls those data inputs,\nprocessing and outputs also affect the audit trail controls. The\nlack of definitive and effective audit trail controls may result\nin erroneous data, which may be contained in the database, other\napplications which obtain data, reports to management, and may\nresult in decisions based on faulty or incorrect assumptions\nbased on the data provided.\n\n1.   Observation: As part of a data quality review, the\n     Collection Database was loaded with data from a Paradox\n     file. The Paradox file was not a direct feed from Mellon\n     Bank. Though Mellon Bank information may have been used as\n\n                               16\n\x0c     the basis for the Paradox file, many of the individual data\n     elements (i.e., transaction date, address, payor, amount,\n     payment type code, etc.) were changed. The Paradox file was\n     loaded into the Collection Database without: a proper audit\n     trail, evidence supporting the individual changes, evidence\n     supporting the deletion of transactions which netted to zero\n     (i.e., upfront payments made and then refunded) or changes\n     made to the source documents originally supporting the\n     transactions. The Paradox file information also did not\n     contain references back to the original transactions being\n     adjusted. (I, P, S) [High]\n\n     Recommendation: Do not allow updates to the Collection\n     Database without the proper supporting records and audit\n     trails.\n\n     OMD/WTB Response: Concur, all updates to the system shall be\n     supported by proper source documents and provide complete\n     audit trails.\n\n2.   Observation: The Collection System does not have the\n     functionality in place to allow for the proper traceability\n     of changes to a transaction (i.e., change of name, address,\n     amount, etc.) as required for an accounting system under OMB\n     guidance. (P) [High]\n\n     Recommendation: Whether the Collection System is enhanced or\n     another system is put in its place, ensure there is proper\n     functionality and audit trails for making changes, updates,\n     insertions, and deletions to the transactional database.\n\n     OMD/WTB Response: Concur, efforts are underway to ensure\n     that the current system properly provide the necessary\n     functionality and audit trails for making changes, updates,\n     insertions, and deletions to the transactional database.\n     Required coding changes to ensure that the current system\n     corrects this finding are due to be placed into production\n     on December 31, 1998.\n\n     A mandatory requirement will be included in the RAMIS RFP to\n     assure that audit trails are maintained for all transactions\n     including changes to table entries.   (Second Quarter FY\n     1999)\n\n3.   Observation: Not all collection related transactions are\n     loaded and recorded in the Collection Database (e.g.,\n     Auction 11 refunds, upfront payments, unsupported\n     transactions, installment payments, credit card transactions\n     in 1995, or AIPs). While some of the information may have\n     been provided to contractor support to load into the\n     database, the programming to provide the load did not occur.\n      (D, I, P) [High]\n                               17\n\x0c     Recommendation: Revise procedures to ensure all transactions\n     are properly recorded in the Collection System.\n\n     OMD/WTB Response: Concur, procedures shall be revised to\n     ensure that all transactions are properly recorded in the\n     Collection System. Revision to procedures due last quarter\n     FY 1998. All transactions will be recorded in RAMIS.\n\n4.   Observation: Edit controls to ensure the transmissions\n     received from Mellon Bank are valid, complete, accurate, and\n     for the proper date do not seem to be in place and/or\n     functioning properly. (B, I) [Medium]\n\n     Recommendation: Implement the proper automated edit controls\n     to ensure file transmissions received are valid (summary and\n     detail transaction records), complete (using the 01 and 99\n     BAI record identifiers in the file transmission), accurate\n     (file count and testing through the adding of details and\n     comparing to the summary record), and for the proper date\n     (date requested is the date received).\n\n     OMD/WTB Response: Concur, the lockbox nightly load process\n     has been modified to include proper automated edit controls\n     to ensure file transmissions received are valid (summary and\n     detail transaction records), complete (using the 01 and 99\n     BAI record identifiers in the file transmission), accurate\n     (file count and testing through the adding of details and\n     comparing to the summary record), and for the proper date\n     (date requested is the date received). Due to be placed\n     into production September 30, 1998.\n\n     The lock box service bank file transmission will need to be\n     reevaluated and changed depending on the COTS package\n     selected as the basis for the new system (RAMIS).\n     Recommendation #4 will be incorporated in the design of the\n     file transmission. (Implementation FY 2000)\n\n5.   Observation: When requesting a refund through the Collection\n     System, the person inputting the request can change the\n     payor name. (I) [Medium]\n\n     Recommendation: Alter   the system to disallow the changing of\n     the payor name unless   there is manager approval for such a\n     change and the change   is documented in the Collection system\n     along with the reason   for the change.\n\n     OMD/WTB Response: Concur, the Collection system will be\n     modified to require manager approval for payor name changes\n     by adjusting permission grants. Review of the current\n     system design will be performed in September 1998, with\n     required modifications due first quarter 1999. RAMIS\n                                 18\n\x0c     implementation will include Recommendation 5.   (RAMIS\n     implementation FY 2000).\n\n6.   Observation: Wire transfers into FCC bank accounts are not\n     always accompanied by Form 159s. In addition, Mellon Bank\n     does not always prepare the Form 159s for those transfers.\n     However, only the information keyed in Mellon Bank is\n     transmitted to FCC for the Collection System data\n     population. Use of the specialized Form 159 keying\n     procedures and transmission of information increases the\n     chances for information to be lost or mis-keyed, causing\n     improper recording or untimely recording of payment\n     information. (B, PI, SDLC) [Low]\n\n     Recommendation: For any type of electronic payment or\n     non-check payment, Mellon Bank should not key in the\n     information. This information should be transmitted\n     electronically to the Commission through standard BAI\n     formats, not through a specialized FCC format (i.e., Form\n     159).\n\n     OMD/WTB Response: Concur, this recommendation shall be\n     explored during the design of RAMIS. The lock box service\n     bank file transmission will need to be reevaluated and\n     changed depending on the package selected as the basis for\n     the new system. Recommendation #6 will be incorporated in\n     the design of the file transmission. (Implementation FY\n     2000)\n\n7.   Observation: Refunds of upfront payments typically exceed $1\n     million. Due to Treasury limitations, BCB breaks refunds in\n     excess of that amount into smaller payments. Without\n     permission from Treasury, this is an internal control that\n     is compromised. (PI) [Low]\n\n     Recommendation: Work with Treasury to adjust the limitations\n     in light of the business need for refunding auction payments\n     in excess of $1 million.\n\n     OMD/WTB Response: Non-Concur, this recommendation has been\n     overcome by events. In February 1996 Congress gave the FCC\n     authority to establish an interest bearing account for\n     deposit of incoming auction upfront money. Since that time,\n     all upfront refunds have been disbursed from the account via\n     Mellon\'s Telecash System(). The system allows the FCC to\n     process wire transfers without dollar limitation.\n\n     In addition, there will be a mandatory requirement that the\n     new system accommodate $999B dollar values. Treasury\n     guidelines concerning the maximum value of refund\n     transactions shall be addressed through the FFS interface.\n     The use of Mellon Telecash wire transfers significantly\n                               19\n\x0c      mitigates the impact of this issue on the Collections\n      System.\n\n8.    Observation: Credit card transactions were not all\n      authorized prior to granting the license or purchased\n      service. (I) [High]\n\n      Recommendation: Ensure strict authorization procedures are\n      documented for manual and automated processing of credit\n      card transactions.\n\n      OMD/WTB Response: Concur, OMD/WTB addressed this issue over\n      a year ago. Only authorized credit card transactions are\n      passed to the Commission via the nightly load. All non-\n      authorized credit card transactions are returned to the\n      applicant within 24 hours. The FCC is coordinating its\n      automated credit card program with the U.S. Treasury and is\n      in compliance with all Treasury rules, regulations, and\n      policies concerning the automated use of credit cards by a\n      federal agency.\n\n9.    Observation: Payments made into Mellon Bank without\n      sufficient information to identify the payor results in\n      undocumented manual procedures that are performed by a\n      programmer. (C, I) [High]\n\n      Recommendation: Document the processes for matching payments\n      to the information received from the bank.\n\n      OMD/WTB Response: Concur, this un-documented procedure is no\n      longer being performed. This observation has already been\n      corrected and the process replaced by a more efficient\n      procedure. On March 16, 1998, the FCC implemented new\n      procedures for reporting the customer initiated payments to\n      the Birmingham site.\n\n      The transmission file which has now been superseded did not\n      have sufficient information to allow for recording and\n      posting the payments. The new transmission file which\n      contains sufficient information for posting the payments,\n      thus eliminating the need for programmer intervention.\n\n      There will be a mandatory requirement in the new system that\n      corrections to batch files be made on-line with adequate\n      security. Use of database reference table edits will reduce\n      the need for intervention and manual correction.\n\n10.   Observation: Sybase contractors are responsible for placing\n      production code into the production environment. The\n      process for ensuring the production code program changes are\n      authorized, tested, and approved are informal. (D, I, P)\n      [High]\n                                20\n\x0c      Recommendation: Implement formal change control procedures\n      to ensure all program changes are authorized, tested, and\n      approved, prior to placing the code into the production\n      environment.\n\n      OMD/WTB Response: Concur, this recommendation has already\n      been placed into practice. All program changes are\n      authorized, tested, and approved, prior to placing the code\n      into the production environment. The Collections team has\n      separated development, test, and production into separate\n      regions. Test plans, and approval procedures are in place\n      to control any future software releases into production.\n\n      The RAMIS Project manager has proposed that separate regions\n      be dedicated to the new system for training, interface\n      development, conversion and acceptance/system testing,\n      production staging and production.\n\n      The COTS contractor will be required to maintain full\n      configuration management under the terms of the contract\n      during system modification, data conversion and roll out.\n      RAMIS maintenance procedures will incorporate Recommendation\n      # 10 as a part of the maintenance contract or will need to\n      be absorbed by FCC using commercial configuration management\n      software.\n\n11.   Observation: There are no formal security administration\n      procedures at the database level (though some user level\n      controls have been implemented at the application level).\n      There are five-hundred fifty-seven (557) active userids on\n      the Collection System, and of those, four-hundred seventy-\n      three (473) have no user information supporting the userids,\n      or authorization for those userids to exist on the\n      Collection System. (I, S) [High]\n\n      Recommendation: Implement formal security administration\n      procedures to ensure only authorized users have access to\n      necessary information, database elements, and stored\n      procedures. Implement a periodic review to ensure only the\n      necessary number of users have access to the Collection\n      System and that they are properly authorized for such access\n      to the Collection System.\n\n      OMD/WTB Response: Concur, a review of the Sybase and\n      application security administration is underway.\n      Furthermore periodic reviews shall be conducted to ensure\n      that only necessary users have access to the Collection\n      System. The number of system users shall be determined by\n      the needs of the users. The review which is currently\n      underway will be concluded by July 31, 1998.\n\n                                21\n\x0c      Security issues will be addressed as a part of the\n      implementation phase of the RAMIS project. Both operating\n      system security and application security will be documented\n      and implemented. (Implementation FY 2000)\n\n12.   Observation: There are no separate testing and production\n      environments. Without a proper testing and user acceptance\n      environment, daily operations can become unnecessarily\n      affected by programming bugs and other unknowns that may\n      have been corrected in a test environment (as evidenced\n      during the six week down time of the Collection System).\n      (D, I) [High]\n\n      Recommendation: Implement a formal testing and user\n      acceptance environment separate from the live production\n      environment for the Collection System.\n\n      OMD/WTB Response: Concur, OMD/WTB has already responded to\n      this problem by ensuring that a formal testing and user\n      acceptance environment exist separate from the live\n      production environment of the Collection System. This\n      change was made several months ago.\n\n      The RAMIS Project Manager has proposed that separate regions\n      be dedicated to the new system for training, interface\n      development, conversion and acceptance/system testing,\n      production staging and production.\n\n13.   Observation: Due to the Collection System development effort\n      longevity, daily Billing and Collections Bureau (BCB)\n      operations make use of spreadsheets to track incoming\n      monies, at least for the upfront auction payments,\n      withdrawal payments, refunds, and cash balances. (I)\n      [Medium]\n\n      Recommendation: During the testing and implementation of the\n      full Collection System (i.e. existing or future COTS),\n      ensure proper access controls and segregation of duties are\n      in place for the existing manual procedures surrounding the\n      maintenance of the spreadsheet used for tracking bank\n      transactions.\n\n      OMD/WTB Response: Concur, over the past year proper access\n      controls and segregation of duties were put in place for the\n      procedures used to tracking bank transactions. Missed\n      schedules and lags in the development effort forced the\n      Billings and Collections Branch (BCB) to create tools\n      (spreadsheets, etc) for recording, tracking, and reporting\n      transactions. Further, a task on the RAMIS project plan is\n      to evaluate current processes and procedure to identify\n      those that should be re-engineered to assure maximum\n      functionality from the selected COTS core package.\n                                22\n\x0c      (3rd Quarter FY 1999)\n\n14.   Observation: The audit log is not used in the Sybase\n      database for the Collection System. (D, I) [High]\n\n      Recommendation: Turn the audit log on for sensitive\n      procedures, sensitive accesses, and sensitive write\n      commands. Implement audit log review procedures to ensure\n      logged events are authorized and not indicative of\n      unauthorized activities. Audit log events also ensure\n      accountability of transactional changes.\n\n      OMD/WTB Response: Concur. The use of the system-level audit\n      capability has several technical issues, including space and\n      performance considerations, that must be researched and\n      resolved before steps could be taken toward implementation\n      of system-level auditing. Action will be taken to resolve\n      these issues and activate system-level auditing by September\n      30, 1998.\n\n15.   Observation: The Shell scripts used to load Mellon bank data\n      into the Collection Database did not contain the necessary\n      edit checks to ensure valid date and file completeness. File\n      completeness checks usually include a test to add the detail\n      transaction records together to determine if they match the\n      contents contained in the bank transmitted balance records.\n      However, if standard BAI Code file layouts are not used for\n      the bank transmission of information, this becomes much more\n      difficult. (B, D) [Medium]\n\n      Recommendation: Adjust the scripts to include checks to\n      ensure the transaction data included in the Mellon bank\n      transmission is for the expected transaction date. In\n      addition, file completeness edits should be included\n      (counting the number of headers and trailers does not ensure\n      file completeness for bank transaction transmissions).\n\n      OMD/WTB Response: Concur, The Collections Team will adjust\n      the nightly load Unix and SQL scripts to ensure that\n      necessary edits are in place to check inclusiveness of\n      transaction data for the expected transaction date and file\n      completeness. These scripts, which identify specific steps\n      to be taken in a specific order, process the data files sent\n      from Mellon on a nightly basis. Review necessary\n      adjustments - due September 30, 1998.\n\n      The lockbox service bank file transmission will need to be\n      reevaluated and changed depending on the package selected as\n      the basis for the new system. Recommendation #15 will be\n      incorporated in the design of the file transmission.\n      (Implementation FY 2000)\n\n                                23\n\x0c16.   Observation: Changes to modules are not currently under a\n      formal configuration management process (CM). It is left up\n      to the programmer. (I, P) [Medium]\n\n      Recommendation: Create a Configuration Management group that\n      manages the configuration. This group should not include\n      programmers or managers of programmers.\n\n      OMD/WTB Response: Concur, Configuration Management is\n      informal and should be made more formal. However,\n      Configuration Management should be controlled by the Project\n      Manager and the COTR.\n\n      The ITC accepts this recommendation. The FCC is pursuing\n      improvement on several paths. The first is by defining and\n      implementing an FCC SDLC. The second is through the ITC\n      providing increased support to programming task staff for\n      the management of software configuration changes/upgrades\n      etc. In support of this effort ITC recently purchased the\n      CAST Workbench. PVCS, PowerSite and other products that can\n      support this effort are under evaluation. Thirdly, ITC is\n      establishing a more defined and controlled process through\n      which releases/version are moved from development to\n      test/acceptance and implementation under the control of FCC\n      staff.\n\n      The COTS contractor, selected for RAMIS, will be required to\n      maintain full configuration management under the terms of\n      the contract during system modification, data conversion and\n      roll out. RAMIS maintenance procedures will incorporate\n      Recommendation # 10 and 16 as a part of the maintenance\n      contract or will need to be absorbed by FCC (probably ITC\n      contractors) using commercial configuration management\n      software.\n\n      OIG Comment: The intent of this recommendation was to ensure\n      that programmers are not responsible for configuration\n      management. We were not attempting in our recommendation to\n      dictate the structure of the configuration management group\n      except to recommend that it not be comprised of programmers\n      or managers with programming responsibilities. A project\n      configuration management group comprised of the COTR and\n      project manager is entirely appropriate as long as the\n      project manager does not also have programming\n      responsibilities.\n\n17.   Observation: The programming standards identified are\n      incomplete for a development program. The compliance to\n      existing standards during the review process could not be\n      verified. (I, P) [Medium]\n\n      Recommendation: Develop programming standards that all\n                                24\n\x0c      programmers must follow and institute a formal review\n      process that includes the verification that the developed\n      software conforms to the programming standards.\n\n      OMD/WTB Response: Concur. Changes in ITC contracts for\n      Sybase, PowerBuilder and web support staff now being made\n      will permit these contractors to work with FCC staff to\n      develop programming standards for the basic languages in use\n      at the FCC. These standards will be promulgated and their\n      use by Programming Services Contract (PSC) staff verified.\n\n      The RAMIS Project manager will work with ITC to assure that\n      all standards adopted by the FCC are adhered to during the\n      project.\n\n18.   Observation: Unit (development or enhancements) folders that\n      were provided by contract identified were not organized and\n      did not contain sufficient information for evaluation. (I,\n      P) [Medium]\n\n      Recommendation: Develop a standard for what is required in a\n      unit folder. Then initiate a review of all Unit folders for\n      compliance with the standard.\n\n      OMD/WTB Response: Concur, the RAMIS Project manager will\n      work with ITC to assure that all standards adopted by the\n      FCC are adhered to during the project.\n\n19.   Observation: Upfront payments prior to an auction and\n      upfront payments refunded, after the auction is concluded,\n      are not recorded in the general ledger. (I) [Medium]\n\n      Recommendation: All transactions should be included in the\n      general ledger, even if they are custodial in nature.\n\n      OMD/WTB Response: Concur, as part of the development of\n      RAMIS all transactions shall be included in the general\n      ledger, even those identified as custodial in nature. The\n      transaction shall be included in the new revenue system, and\n      be reported to the appropriate standard general ledger (SGL)\n      account.\n\n20.   Observation: Upfront payment activities are maintained on an\n      Excel Spreadsheet in BCB. The spreadsheet contains no\n      references to dates payments were posted to the bank\n      accounts. Manual controls over the integrity of the\n      spreadsheet have not been reviewed. (I) [Medium]\n\n      Recommendation: If the spreadsheet is to be used as a source\n      of management information, the date the money was posted to\n      the bank account should be included. In addition, the\n      controls surrounding the accuracy of the spreadsheet should\n                                25\n\x0c      be reviewed in order to ensure the integrity of the numbers\n      being provided for management information reporting.\n\n      OMD/WTB Response: Concur, all manually created spreadsheets\n      shall include the date the money/transaction was posted to\n      the bank account.\n\n21.   Observation: Verification and Validation was not performed.\n      (I, P, SDLC) [Medium]\n\n      Recommendation: The project should implement a tracing of\n      requirements to functionality. This traceability should\n      allow the government to determine the magnitude of efforts\n      that were proposed versus the cost of the as built. In\n      addition, the process should be conducted or monitored by\n      subject area experts.\n\n      OMD/WTB Response: Concur. The FCC is pursuing via contract\n      the development of an appropriate SDLC for adoption\n      throughout the Commission. This SDLC is expected to define\n      the development and tracking of initial requirements and to\n      establish a mechanism for maintaining requirements\n      definitions throughout the life cycle.\n\n      The RAMIS Project Manager will propose that the FCC hire or\n      task an IV&V contractor to perform tests against\n      modifications and interfaces and, depending on the\n      documented track record of the package selected, production.\n\n22.   Observation: Contractor staff do not produce minutes or\n      agendas for project meetings. In addition, only five months\n      of status reports were provided for a project that has been\n      on going for several years. (C, I) [Low]\n\n      Recommendation: All meetings that are paid for by the\n      government should be formally recorded and should, at a\n      minimum include an agenda, any action items, and minutes.\n\n      OMD/WTB Response: Concur, this practice is already in place\n      for all OMD/WTB funded contracts.\n\n      The RAMIS Project   Manager and the contractors will issue\n      regular bi-weekly   project status reports that address\n      issues, concerns,   and status on ongoing tasks and identify\n      completed tasks.    All meetings will be documented.\n\n23.   Observation: The developer is not following their proposed\n      Quality Assurance (QA) plan. In addition, of the few\n      documents produced, content can be significantly\n      strengthened. (C, I, SDLC) [Low]\n\n      Recommendation: The developer should be required to follow\n                                  26\n\x0c      the QA plan they proposed.\n\n      OMD/WTB Response: Concur, as a part of the SOW, peer reviews\n      will be required as part of the quality assurance function.\n\n24.   Observation: The developer should have meeting minutes   that\n      documents their perspective of events that occurred in   the\n      meeting. For the period February 1997 through March 7,   1997\n      weekly status reports were provided, but for no period   prior\n      to or after. (C, I, SDLC) [Low]\n\n      Recommendation: The developer should record all events that\n      occur in meetings that affect schedules, programming\n      efforts, enhancement efforts, or contractual requirements.\n\n      OMD/WTB Response: Concur, this practice is already in place\n      for all OMD/WTB funded contracts. As part of the RAMIS SOW,\n      contractors will be required to submit comments on meetings,\n      etc.\n\n25.   Observation: Due to the lack of userid documentation (i.e.,\n      the FCC personnel name, location, job responsibility, reason\n      for access, title, etc.), it is not feasible to associate\n      the userids with the groups defined in Sybase to determine\n      if the group and associated user access is reasonable. (I,\n      S) [Medium]\n\n      Recommendation: A full review of the Sybase access control\n      structure should be performed to fully document the\n      structure, ensure it is reasonable based on the program\n      structure, determine if the userids are current or should be\n      deleted, and then determine their reasonableness of access.\n\n      OMD/WTB Response: Concur, as stated previously a review of\n      the Sybase access control structure is underway. This\n      review is schedule to be completed and document by July 31,\n      1998.\n\n      Additionally, security issues will be addressed as a part of\n      the implementation phase of the RAMIS project. Both\n      operating system security and application security will be\n      documented and implemented.\n\n26.   Observation: The Sybase groups defined with access to stored\n      procedures and database objects does not seem reasonable and\n      does not seem to acknowledge a logical internal control\n      system.   In addition, there seems to be references to\n      userids which no longer exist (i.e., develop). (I, PO)\n      [High]\n\n      Recommendation: Review and correct group definitions as well\n      as individual user accesses to ensure access is considered\n                                   27\n\x0c      reasonable based on job responsibilities and based on a\n      sense of logical internal controls in accordance with OMB.\n      In addition, security access structures should be reflective\n      of the current environments. As the user base changes,\n      there needs to be processes in place to ensure that userids\n      are added, changed, and deleted accordingly.\n\n      OMD/WTB Response: Concur, the Collection\'s Team is in the\n      process of reviewing group definitions as well as individual\n      user accesses to ensure that access is based on job\n      responsibility and that logical internal control exist.\n\n      Security issues will be addressed as a part of RAMIS\'s\n      implementation phase. Both operating system security and\n      application security will be documented and implemented.\n\n27.   Observation: The Sybase access control reports showed\n      defined accesses to stored procedures which did not seem to\n      exist as they were not found in the extract of stored\n      procedures provided. (I, S) [Medium]\n\n      Recommendation: Administrative procedures must be put in\n      place to ensure that once stored procedures are added or\n      deleted, the appropriate access control changes are also\n      made.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been instituting administrative procedures to\n      ensure that all stored procedures added or deleted to the\n      Collections System are tracked to ensure that the\n      appropriate access control changes are also made and\n      documented. Under RAMIS, security issues will be addressed\n      as a part of the implementation phase of the project. Both\n      operating system security and application security will be\n      documented and implemented.\n\n28.   Observation: The Project Manager userid is aliased (i.e.,\n      defined) to the dbo, which has full permissions on all\n      objects in the database owned by the dbo. (I, S) [High]\n\n      Recommendation: In order to effect an appropriate logical\n      internal control function, no single person should have\n      access to the entire system. The Project Manager and\n      developer personnel should be restricted to the development\n      area only and should not have access to production or\n      operational environments.\n\n      OMD/WTB Response: Concur, security is of great concern and\n      has been reviewed by OMD/WTB to ensure that the appropriate\n      individuals have access only regions which meet their\n      specific needs. The Data Base Owner (DBO) alias does not\n      imply full permissions to all objects. Permissions are\n                                28\n\x0c      subset of those possessed by the DBA; the Project Manager\n      and DBA are trustees of the system. We caution reliance on\n      this observation, since the position of DBO is essential to\n      database maintenance.\n\n      OMD is currently working to implement a system development\n      and management life cycle plan to ensure that no one person\n      will have or be able to access the entire system.\n\n      Security and access issues will be addressed as a part of\n      the implementation phase of the RAMIS project. Both\n      operating system security and application security will be\n      documented and implemented.\n\n29.   Observation: The Sybase Configuration file shows many\n      default settings, which may or may not be appropriate for\n      the Collection System. Particularly, the lack of enforced\n      system-wide password changes, the use of allowing remote\n      access, and the number of allowed remote logins and remote\n      sites. (I) [Medium]\n\n      Recommendation: The Configuration File options should be\n      reviewed for their appropriate settings in the Collection\n      System.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Systems Database Administrator, COTR, and TPOC have reviewed\n      all settings and established a management control policy and\n      review system to ensure appropriate settings are maintained.\n\n      Security issues will be addressed as a part of the\n      implementation phase of the RAMIS project. Both operating\n      system security and application security will be documented\n      and implemented.\n\n30.   Observation: Non-standard naming conventions\n      (J:\\magoo\\dave\\***) are used for storing production source\n      code. (P) [Low]\n\n      Recommendation: Use standard naming conventions.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been reviewing naming conventions and, where\n      possible and feasible, been standardizing all naming\n      conventions. Under RAMIS standard naming conventions shall\n      be employed.\n\n31.   Observation: Weekly Status Reports and/or Problem logs did\n      not contain certain critical elements in order to be\n      effective management tools. Critical elements include: What\n      is the issue or discussion item; how did it become an issue\n      (i.e., what caused the problem or who requested); who is\n                                29\n\x0c      responsible for resolving the issue; how was the issues\n      resolved; when was it resolved. (P) [Low]\n\n      Recommendation: Rework the status reports to include the\n      critical elements.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team, COTR, and TPOC have reviewed and restructured all\n      status reports. Under RAMIS the status reports will be\n      reviewed and restructured based upon the needs of the FCC\n      and the limitations of the selected COTS package.\n\n32.   Observation: Because of the way in which bank information\n      and auction information is processed within the Collection\n      System, there is no subsidiary ledger for the Accounts\n      Receivable in the General Ledger. (I) [Medium]\n\n      Recommendation: Modifying the existing Collection System to\n      create a subsidiary ledger is cost prohibitive. Move\n      towards a different programming solution, considering COTS,\n      and ensure the subsidiary ledger is a requirement of the\n      system.\n\n      OMD/WTB Response: Concur, the new system will function as a\n      subsidiary ledger for all revenue, collection, and accounts\n      receivable. Loan activity will be carried in a separate\n      subsidiary ledger and will be summarized into the new system\n      and then include in the summary reporting to FFS.\n      (Implementation FY 2000)\n\n33.   Observation: Review of the Stored Procedures indicated the\n      intermingling of stored procedures labeled as test or temp.\n      (I, P) [Medium]\n\n      Recommendation: Test procedures should not be intermingled\n      within the production stored procedures. Separate and\n      distinct test and production environments should exist to\n      assure only authorized changes to production code and data\n      occur.\n\n      OMD/WTB Response: Concur, this recommendation has already\n      been satisfied, separate and distinct test and production\n      environments are utilized. Additionally, RAMIS development\n      and testing will be kept in separate environments from\n      production.\n\n34.   Observation: Execution of the extended fieldwork procedures\n      highlighted the need for further documentation in the files\n      in the event of bidder defaults and declining to participate\n      in the auction after their Form 159s have been sent in and\n      received by the FCC. (PI) [Low]\n\n                                30\n\x0c      Recommendation: Document in the files of the bidders when\n      they have defaulted or declined to participate in an auction\n      event if they have sent in a Form 159.\n\n      OMD/WTB Response: Concur, source documents without dollars\n      (FCC Form 159) shall be annotated by BCB to indicate non-\n      participation in the auction event.\n\n35.   Observation: During the Ernst & Young Data Integrity Review,\n      it became readily apparent that same FCC Account Numbers are\n      used to represent several companies. Although there may be\n      valid reasons for this condition (e.g., companies are\n      affiliated, company names have changed), it becomes very\n      difficult to ascertain payment and refund trails. (I, PI)\n      [High]\n\n      Recommendation: Manual or automated procedures should be\n      implemented to ensure a company name is associated with only\n      one FCC Account Number within the Collections Database to\n      ensure data integrity.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team, COTR, and TPOC have been addressing this issue. We\n      are currently testing several approaches for an automated\n      process for one name per account in order to ensure system\n      data integrity. The new nightly load, which is due in\n      production on September 30, 1998, will fulfill this\n      requirement by allowing the update and association of the\n      company name with the appropriate "FCC Account Number".\n\n      Relational systems will not allow duplicate keys. The TIN\n      as the primary key may present operational problems. A\n      unique key must be established and used by all interfaced\n      systems.\n\n36.   Observation: During the Data Integrity Review Procedures,\n      there were several instances in which items in the database\n      did not behave properly. Records that were shown on the\n      screen as reversed were still in the database with payment\n      amounts (e.g., Jennifer Plant wire reversal). Items which\n      should have been included in the database extract provided\n      to Ernst & Young were not included (e.g., Omnipoint).\n      Transactions that should have been in the database were\n      placed in the database through a Paradox upload vs. a Mellon\n      Bank transmission (e.g., Southeast Telephone LP). And a few\n      transactions for $1.3 billion showed only as .3 billion\n      (e.g., AT&T Wireless PCS Inc.) and $1.6 billion showed as .6\n      billion due to field limitations in the database (through\n      the details totaled the proper $1.3 billion on the Payment\n      Transactions Detail Report). (D, I, P) [High]\n\n      Recommendation: Ensure that the selected COTS package\n                                31\n\x0c      incorporates edits to detect these types of exceptions.\n\n      OMD/WTB Response: Concur, the RAMIS SOW will identify the\n      need for data quality checks and data integrity.\n\n37.   Observation: Initially, Auction 11 transactions were\n      recorded for using manual spreadsheets. After auction\n      completion, net transactions were keyed into the Collection\n      Database. Keying errors were identified in Auction 11\n      transactions when these manual records were keyed into the\n      collections database (e.g., Fee Control Number\n      9703068850904016). (D, I, PI) [Low]\n\n      Recommendation: All transactions, including upfront\n      payments, refunds, and withdrawal payments, should be\n      recorded directly into the Collections Database.\n\n      OMD/WTB Response: Concur, all transactions will be captured\n      in the current and new system as original entries.\n\n38.   Observation: A significant percentage of the dates recorded\n      in the Collection Database as Date Received were different\n      from the supporting documents by one to three days, and in\n      the case of auction payments, by months. For one check (Fee\n      Control Number 9409098835469001), there were two dates noted\n      where FCC asked Mellon to hold the check until the\n      regulatory fee window opened a few months later. The\n      integrity of the transaction recorded is compromised without\n      proper date information. (D, P) [Medium]\n\n      Recommendation: Transactions entered into the Collection\n      Database should reflect the proper date received, date paid,\n      etc.\n\n      OMD/WTB Response: Concur, transactions entered into the\n      Collection Database shall reflect the proper date received,\n      date paid, etc.\n\n39.   Observation: While reviewing files supporting auction\n      payments, many Form 159s were identified which did not have\n      corresponding transactions in the database. Subsequent\n      research had to be performed to identify if the forms were\n      duplicates or if the payor was in default or elected not to\n      participate. (D, I, PI) [Low]\n\n      Recommendation: Notations should be made on the Form 159s,\n      which are not supporting valid transactions.\n\n      OMD/WTB Response: Concur, annotation shall be made on the\n      Form 159s, which are not supporting valid transactions,\n      i.e., no money was received, or duplicate copy.\n\n                                32\n\x0c40.   Observation: Once auction events are completed, the monies\n      are moved from the FCC Interest Bearing account into the\n      Treasury bank account. These movements are recorded in the\n      Collection Database. In addition to the movements of the\n      net auction amounts are also recorded in the database. The\n      money movements between bank accounts are subsequently\n      reversed, but the payment amount field of the reversal is a\n      positive number while the detail amount field is a negative\n      number. This creates difficulties in obtaining reports from\n      the Collection Database unless all fields are properly\n      obtained. (D, I) [Low]\n\n      Recommendation: Traditionally, bank account to bank account\n      movements are recorded only in the cash accounts of the\n      general ledger. Only customer payments coming into a bank\n      account should be recorded in the Collection Database. The\n      Collection Database should be corrected to accurately\n      reflect the payment amounts as negative numbers in the\n      Payment Amount field for reversals to ensure reports\n      properly reflect the underlying detail transactions.\n\n      OMD/WTB Response: Concur, recommendations presumes to change\n      requirements and functionality; data must be accessed\n      completely, and in the proper manner, in order to obtain\n      complete results; finding is the result of improper data\n      access. This will be included in the Collections Contractor\n      tasking for FY 1999.\n\n      A mandatory requirement will be included in the RAMIS RFP to\n      assure that all transactions are recorded properly and that\n      reversals reflect underlying detail.\n\n41.   Observation: During the data integrity portion of the\n      review, the Commission was unable to provide supporting\n      documentation for selected transactions in a timely manner.\n      This condition is indicative of business process issues,\n      audit trail issues, and record-keeping issues. (I, PI)\n      [Medium]\n\n      Recommendation: Business processes for recording incoming\n      money, refunds, and other payment should be improved to\n      ensure that proper data elements are being recorded in the\n      Collection Database. Changes to any data elements should be\n      recorded with an adequate audit trail to allow for\n      determination of who made the change, the reason for the\n      change, and details concerning the specific change. This\n      should exist whether the change was to an automated or\n      manual record (i.e., documents maintained in the folders\n      supporting the transaction.\n\n      OMD/WTB Response: Concur, the new nightly load which is\n      scheduled to go into production on September 30, 1998, will\n                                33\n\x0c      correct this finding. The RAMIS SOW will specify that the\n      capability to retain notes with any transaction is highly\n      desirable.\n\n      Although the recommendation is based on an observation with\n      which we do not totally agree, we will continue to improve\n      our business processes to the maximum extent feasible.\n\n      OIG Comment: This observation was based upon work conducted\n      by E&Y as part of the data integrity portion of the review.\n      The results of the E&Y data integrity review are discussed\n      in summary in Section F of this document and the detailed\n      report is included as Appendix A to this report.\n\n      Management has stated that they "do not totally agree" with\n      the observation on which this recommendation is based.\n      However, they do not provide any details, either here or in\n      their response to Section F, indicating why they believe\n      that the observation is not factually accurate.\n\n42.   Observation: The Paradox Upload performed in May 1997 was\n      supposed to follow programmatic guidelines and rules for\n      "updating" records in the Collection Database. Throughout\n      the Data Integrity Review Procedures, database oddities\n      appeared though the transactions all had supporting\n      documentation showing money coming into the FCC bank\n      account. Upon further investigation, it was learned that\n      the Paradox Upload didn\'t function as intended, resulting in\n      many oddities within the database transactional records.\n      (D, I, P) [High]\n\n      Recommendation: Do not perform any "uploads" to the\n      collection Database that are not Bank originated\n      transmissions. Any changes to be made to bank transactions\n      should be made through an auditable process with proper\n      audit trails and supporting documents of the items changed.\n      Each of the transactions with the PDX initials (indicating\n      the record was generated or changed as a result of the\n      Paradox Upload) should be reviewed and tied to supporting\n      documents. If the record is not supportable, it should be\n      removed.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team, COTR, TPOC, and Mellon Bank have been developing a new\n      "nightly load" process. The nightly load is generated from\n      Mellon Bank and sent directly to the FCC\'s Collections\n      System. All changes to be made to Mellon\'s transmission\n      bank transactions follow a totally auditable process through\n      the Billings and Collections Branch (BCB). Prior to\n      migrating to RAMIS, the historical data maintained in the\n      collections database will be reviewed, validated, and\n      verified to determine if migration is recommended.\n                                34\n\x0cBanking Related Matters to Improve Efficiency or Costs\n\nBanking related matters concern those processes contained at the\nbank or at the Commission which involve the handling of banking\ninformation. When identifying areas for process improvement, the\nideal basis is to concentrate on single sources for information,\ninput, and processing in lieu of redundancy.\n\n43.   Observation: Mellon Bank is using primarily manual processes\n      for processing lockbox payment information including\n      handwritten fee tables; if-then type procedures; manual\n      adding of payment amounts; copying of documents; matching of\n      payments to 159 forms; preparation of 159 forms if there are\n      none; and creation of zero amount records. There is no use\n      of available technology to make the process more efficient\n      at the Bank or at the FCC. This leaves a significant room\n      for mis-keying and mis-matching of payments to supporting\n      documents. (PI) [Low]\n\n      Recommendation: Perform a lockbox bank processing analysis\n      and review of FCC payment processing procedures to make use\n      of more current computer technology for processing the high\n      volume of small dollar payments.\n\n      OMD/WTB Response: Concur, the RAMIS Project Manager will\n      work with the servicing banks to streamline processes and\n      improve data integrity. Since the "feed" will have to be\n      entirely rewritten to accommodate any system that is put in\n      place, this will be an ideal opportunity to improve our\n      processes.\n\n44.   Observation: The electronic interface between the Collection\n      System and Mellon Bank is using non-standard transmission\n      formats. Use of the non-standard transmission formats\n      ignores currently available technology and causes the need\n      for more maintenance at both Mellon Bank and at the FCC.\n      (PI) [Low]\n\n      Recommendation: Use the banking standard BAI format to allow\n      for identification of all payment types (i.e., check, wire\n      transfer, ACH, etc.) and for descriptive detail (i.e., payor\n      name, payor address, nature of the payment, etc.) to be\n      transmitted for potential matching in the Collection System.\n\n      OMD/WTB Response: Concur, the new system will use the BAI\n      terminology and formats to the extent feasible.\n\n45.   Observation: FCC does not receive full summary and detail\n      transaction records from Mellon Bank in the existing\n      electronic transmission. (PI) [Low]\n\n                                35\n\x0c      Recommendation: Direct Mellon Bank to furnish full summary,\n      detail, and returned item records from Mellon Bank in order\n      to properly populate the Collection System database.\n\n      OMD/WTB Response: Concur, the Commission shall request the\n      lockbox provide full summary, detail and return item records\n      to allow for the proper population of the Collection System\n      database. The request shall be submitted to the lockbox\n      bank on or before July 31, 1998.\n\n      The RAMIS system will be the control point for all servicing\n      banks transactions.\n\n46.   Observation: FCC issues approximately 700 wire transfers per\n      year at a cost of $10-12 per wire transfer. (PI) [Low]\n\n      Recommendation: Use ACH payments instead of wire transfers.\n      ACH rates are typically less (could be pennies per\n      transactions or at most $1-2 dollars) and can be issued with\n      one-day settlement instructions. This will result in bank\n      fee savings for the FCC.\n\n      OMD/WTB Response: Non-Concur, the use of wire transfer for\n      returning auction upfront money to non-winners is preferred\n      by the customer and has proven to be very efficient. This\n      is the only refund processing application which utilizes\n      wires, all other refunds utilize ACH or check, including\n      credit card refunds. There is no charge to the FCC for this\n      service.\n\n      The new system must be able to support a wide range of\n      receipt mechanisms as well as payment (refund) options.\n\n      OIG Comment: In their response, OMD/WTB have indicated their\n      decision to use wire transfers for customer convenience and\n      because it has proven to be very efficient. The response\n      also states that "(t)here is not charge to the FCC for this\n      service."\n\n      Certainly it is appropriate for management to take into\n      consideration such elements as customer convenience and\n      efficiency during the selection of a refund payment process.\n       The intent of our recommendation was to point out a lower\n      cost alternative. It is also worth noting that, although\n      the Commission is not charged for wire transfers, it is\n      likely that the Department of the Treasury incurs charges\n      for this service.\n\n47.   Observation: Multiple receipt files are sent from Mellon\n      Bank to the Collection System, and the FFS General Ledger\n      System. This means that there must be multiple input file\n      validation checks on the same banking data sent to several\n                                36\n\x0c      different locations.   (PI) [Low]\n\n      Recommendation: A central group should be used for obtaining\n      the banking information and then disbursing the information\n      to the other systems for processing. This central group can\n      then ensure the banking information is complete and for the\n      correct date, and it can be done once and only once instead\n      of the repetitive procedures in the multiple sites.\n\n      OMD/WTB Response: Concur, all transactions will be included\n      in the RAMIS database and will be transmitted in summary to\n      FFS for the general ledger and to other users to update\n      their databases. (Implementation FY 2000)\n\n48.   Observation: Wire transfers and ACH electronic payments are\n      paid into bank accounts monitored by the lockbox processing\n      area of Mellon Bank. Traditionally, electronic payments\n      (wire or ACH) are paid into separate bank accounts not\n      monitored or handled by the lockbox processing area. This\n      is done to ensure the immediate availability that comes when\n      those types of electronic payments are realized. If these\n      type of payments come into a lockbox account after the\n      lockbox cutoff time, the agency may not get the immediate\n      availability until the next business day, thus losing use of\n      funds for that time period. (PI) [Low]\n\n      Recommendation: The Commission should explore the\n      feasibility of establishing separate accounts outside the\n      lockbox processing area for electronic payments.\n\n      OMD/WTB Response: Concur, as a part of the business re-\n      engineering process, the RAMIS team will evaluate banking\n      processes and recommend changes depending on the COTS system\n      chosen.\n\nContracting Matters\n\nDuring the contracting process, attempts are made to place\nguidelines, standards, and units of measure for how the contract\nsupport should perform in order to carry out the Commission\nobjectives. Without adherence to those units of measure by the\nContractor Support teams and without enforcement by Commission\nrepresentatives, development efforts take on their own path\nwithout the success of the Commission as the goal. This path may\nor may not incorporate the appropriate controls required in\nfinancial applications. As a result, many of the controls are\nleft out or are compromised during the development process. The\nend result can be applications that do not meet the desired\nfunctionality of the Commission, do not support the proper\ninternal control structures for adherence to OMB requirements. A\nlack of measurable performance units may limit recourse against\nsystems development contractors by the Commission.\n                                 37\n\x0c49.   Observation: Computech and Sybase contractors perform\n      operational functions for the FCC as part of the daily\n      Collection System process. In addition, these same\n      contractors are responsible for the development of the\n      Collection System. (I) [High]\n\n      Recommendation: Remove the contractors who develop the\n      Collection System from the operational aspects of the FCC\n      Collection process. A clear division of labor should exist\n      between Operations and Development. Developers, DBA, and\n      programmers should not be allowed to perform live production\n      or operational activities as it compromises the segregation\n      of duties required by OMB.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team, COTR, and TPOC have separated the Collections Team\n      development and production duties and responsibilities.\n      Currently, there is a separate and distinct development\n      team, testing environment, and production team to support\n      the FCC\'s Collections System. Under RAMIS this\n      recommendation will be fully complied with and adopted.\n\n50.   Observation: The Commission has not established an adequate\n      process to measure and evaluate Collection System contractor\n      performance. Our review indicates that minimal task order\n      status reports, designed to ensure adherence to existing\n      contracts and statements of work, have been provided. Those\n      status reports that were obtained and evaluated were\n      determined to be repetitive (i.e., reporting the same events\n      from month to month) or found by FCC contract personnel to\n      be non-compliant. Without the accountability and\n      enforcement of measuring contractor performance, funds\n      become quickly expended and the FCC has not received\n      reasonable services or deliverables for their money. (I)\n      [Low]\n\n      Recommendation: Accountability for contractor performance on\n      contracts and adherence to Statements of Work must be\n      enforced within the FCC contract monitoring structure.\n\n      OMD/WTB Response: Concur, the respective Project Managers\n      will work closely with Contracts to assure that a statement\n      of work is developed that will assure performance-based\n      compliance. The project will be monitored using tools such\n      as, but not limited to Microsoft Project, with tasks\n      identified at the lowest level possible to assure control.\n\n51.   Observation: The Development Contractors did not possess\n      appropriate financial expertise to develop the Collection\n      System that we have defined as a financial system. (SDLC)\n      [Low]\n                                38\n\x0c      Recommendation: When developing financial systems, require\n      the contractors to supply personnel with financial\n      application development expertise to ensure financial\n      requirements are being properly interpreted from the users\n      and programmed into the application.\n\n      OMD/WTB Response: Concur, over the past year Computech has\n      hired Collections Team programmers who have stronger\n      programming and financial experience more in line with the\n      requirements to support the Collections System. Under RAMIS\n      personnel with financial application development expertise\n      will be utilized to ensure that the financial requirements\n      are properly interpreted from the users and programmed into\n      the COTS application.\n\n52.   Observation: The most experienced programmer assigned to the\n      project (i.e., Senior Developer) had no experience in\n      developing financial applications. Others interviewed have\n      little or no experience in developing financial\n      applications. (P, SDLC) [Low]\n\n      Recommendation: The criteria for replacement of individuals\n      should include that a majority of the individuals be\n      experienced in the development of financial applications.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been restructured and, through attrition,\n      replacements have been brought on the team with stronger\n      programming and financial experience more in line with the\n      requirements to support the Collections System.\n\n53.   Observation: The deviations from the Project Plan were never\n      formalized. Instead informal correspondence was used to\n      document changes in priorities and tasks. (SDLC) [Low]\n\n      Recommendation: All changes to tasking and requirements\n      should be coordinated through the contracting officer. In\n      addition, the contractor should not accept contractual\n      relief from the COTR.\n\n      OMD/WTB Response: Concur, this no longer occurs.\n\n54.   Observation: There was no Quality Assurance on this project.\n      (I, SDLC) [Low]\n\n      Recommendation: The FCC should require the contractor to\n      implement their proposed quality assurance plan for this\n      project.\n\n      OMD/WTB Response: Concur, over the past year the Contractor\n      has implemented procedures to ensure compliance with their\n                                39\n\x0c      Quality Assurance (QA). The COTR and TPOC regularly meet\n      with the Contractor\'s Program Manager to review deliverables\n      under this project. Under RAMIS the COTS contractor will be\n      required to propose and then maintain rigorous quality\n      assurance, an engineering approach to any modifications, and\n      meet the test plan requirements set out by the FCC.\n\n      The ITC also accepts this recommendation. Information is\n      now being assembled defining each contractors QA plans and\n      COTRs will use this information to review their contractors\n      project management efforts and evaluate performance.\n\n55.   Observation: Buzz words and multiple-meaning words (e.g.\n      "completed") are used in the Status Reports, which would\n      cause the reader to make an incorrect assumption. For\n      example, it has been indicated in the Status Reports that\n      all auction payment processing has been completed. In fact,\n      up-front auction payments had not been processed and loaded\n      into the Collection Database. (P) [Low]\n\n      Recommendation: The Commission should direct Collection\n      System contractor\'s to revise the wording of the status\n      reports so that persons reading the documents who are not\n      close to the project are able to make the correct\n      assumptions and not be mislead or misinterpret the status of\n      the project tasks.\n\n      OMD/WTB Response: Concur, future status report wording will\n      include adequate text in order to avoid misinterpretation of\n      the status of the project. The respective Project Managers\n      and the contractors will issue regular bi-weekly project\n      status reports that address issues, concerns, and status on\n      ongoing tasks and identify completed tasks.\n\n56.   Observation: Stored Procedures exist without appropriate\n      header comments. Without header comments there is no place\n      for describing the Stored Procedure, identifying the\n      developer, and recording the changes to the Stored\n      Procedure. Good programming standards, such as header\n      comments, are essential in support of change management.\n      (I, P) [Low]\n\n      Recommendation: Develop a coding standards manual mandating\n      that all Stored Procedures contain header comments. Update\n      all Stored Procedures to comply with the coding standards\n      manual. Ensure that the program code review procedures\n      include steps to verify compliance with the coding standards\n      manual.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been developing a coding standards manual which\n      includes a requirement that all stored procedures contain\n                                40\n\x0c      header comments and that all updates comply with the coding\n      standards manual. As part of the development of the manual\n      a quarterly program review requirement is being instituted\n      to ensure that the Collections System program code review\n      procedures include steps to verify compliance with the\n      coding standards manual.\n\nDatabase Issues\n\nDatabase issues are similar to the audit trail control issues in\nthat they affect the integrity of the data in the Collection\nSystem. The database specific issues can be more technical in\nnature than the general audit trail control issues, and thus have\nbeen segregated out from those. Without the proper controls\nbuilt into the database structures, database security, and\ndatabase procedures, the entire application can be compromised\nand the desired internal controls structures can also be more\neasily compromised. If database controls are not properly\nimplemented and adhered to, inconsistent handling of the data can\nresult in erroneous and/or missing data in the Collection System.\n The Collection System can also become more costly for the\nCommission to maintain in the long run without adherence to\nproper database maintenance standards.\n\n57.   Observation: The tracking of operational problem resolution\n      is not formal and does not document what the problem is,\n      what caused the problem, how it was resolved, and by whom\n      with an appropriate tracking number. (P, PI) [Low]\n\n      Recommendation: Implement a formal problem resolution\n      tracking system to ensure that operational problems are\n      resolved in a timely and maintainable manner.\n\n      OMD/WTB Response: Concur, this practice is in place within\n      the current management structure of the Collection System.\n      A formal process is in place to track operational problems\n      within the database.\n\n58.   Observation: Historical collection data is maintained on the\n      Altos Computer. The Altos computer has modem connections\n      used to dial out to the bank. Altos Computer security has\n      not been reviewed. [Low]\n\n      Recommendation: A comprehensive security review should be\n      performed on the Altos computer to ensure the data is\n      controlled in a secure environment.\n\n      OMD/WTB Response: Concur, the data previously housed and\n      maintained on the Altos has been transferred to a stand-\n      alone database that can be accessed by the Collections\n      System. The waiver application still resides on the ALTOS.\n      Programming efforts to include the waiver application\n                                41\n\x0c      software in the current Collection System is expected to\n      implemented in the first quarter FY 1999. Additionally,\n      waiver tracking will be a requirement of RAMIS.\n\n59.   Observation: Historical data has not been converted off of\n      the Altos computer to the new Collection System database.\n      (P) [Low]\n\n      Recommendation: Study, plan, design and implement the\n      conversion of the data from the Altos computer to the new\n      Collection System database.\n\n      OMD/WTB Response: Concur, the data has been transferred to a\n      stand-alone database that can be accessed by the Collections\n      System.\n\n60.   Observation: Sybase contractors are not performing typical\n      DBA activities such as: documentation of the Unix and Sybase\n      environments, monitoring and optimizing the database\n      performance, optimizing indices, preparing and testing\n      contingency plans and scripts, documenting and preparing DBA\n      workbooks, etc. Instead, Sybase DBAs are [add typical\n      functions]. (I) [High]\n\n      Recommendation: Refocus the Sybase contractor efforts onto\n      DBA activities instead of operational activities.\n\n      OMD/WTB Response: Concur, this recommendation has already\n      been implemented.\n\n61.   Observation: The Collection System is comprised of two\n      separate databases (one in Gettysburg, PA and one in\n      Washington, DC). Maintenance of procedures and databases for\n      two separate but similar databases is costly and\n      inefficient. (PI) [Low]\n\n      Recommendation: Consolidate the two separate databases into\n      one database.\n\n      OMD/WTB Response: Concur, the task to consolidate the two\n      databases is under consideration.\n\n62.   Observation: Operating system, network application, database\n      application, and program application changes are made to the\n      production environment without proper testing of the\n      underlying applications to ensure proper operation and\n      functionality after the change. In one case, changes were\n      made to the version of Sybase being used. This change\n      results in a significant negative impact on collection\n      system performance. (P, PI) [High]\n\n      Recommendation: Implement formal procedures to ensure all\n                                42\n\x0c      underlying critical applications are tested with the new\n      software prior to the new software being placed into the\n      production environment.\n\n      OMD/WTB Response: Concur, the Collections Team has already\n      adopted this recommendation.\n\n63.   Observation: The Collection System shares its server with\n      other non-critical applications. (P) [Medium]\n\n      Recommendation: Due to the criticality of the accuracy of\n      the information processed by the Collection System, develop\n      an infrastructure which can ensure proper security and\n      controlled environmental changes to the programs being run\n      (such as a separate enclave).\n\n      OMD/WTB Response: Concur, the Collection System now has\n      three separate environments (development, testing and\n      production) as an infrastructure to assure security and a\n      controlled environment for change. It is anticipated that\n      RAMIS will be supported on a dedicated server.\n\n64.   Observation: Data fill is used in the form of zeroes on\n      Collection System database records in order to attain the\n      fixed length defined for the record set. The system is thus\n      storing unnecessary zeroes. (P) [Low]\n\n      Recommendation: Evaluate the system design and tools used to\n      determine if this is the most efficient manner for obtaining\n      and storing database records. Storing of unnecessary\n      information places undue burden on the database\n      optimization.\n\n      OMD/WTB Response: Concur, the Collections Team has already\n      evaluated the system design and the available tools used to\n      determine the efficiency of the Collections System. Based\n      upon this review the COTR procured additional software tools\n      for tracking and deleting unnecessary information as well as\n      authorizing modifications to existing system modules to\n      optimize performance.\n\n65.   Observation: Review of the log files displayed many lines of\n      errors (i.e., file not found, command aborted, cannot open\n      input file). These types of errors may be indicative of\n      loose ends in the program code. (P) [Low]\n\n      Recommendation: Each and every error in the log files should\n      be fully explored to determine the cause, and how the error\n      should be fixed for operational purposes and for programming\n      purposes.\n\n      OMD/WTB Response: Concur, the log is reviewed at least daily\n                                43\n\x0c      by the DBA, problems are promptly followed up on.\n\n66.   Observation: The SQL file cc_match.sql has extensive\n      programming contained within the file. (P) [Low]\n\n      Recommendation: The cc_match.sql programming should be\n      rewritten into a stored procedure which falls under the\n      normal Sybase access control protection and maintains\n      programming consistency.\n\n      OMD/WTB Response: Concur, the new nightly load which will be\n      place into production by October 1, 1998, will satisfy this\n      recommendation.\n\n67.   Observation: A Shell script (holdload.sh) contains code that\n      obtains information from a Data Fill file (WFEETAB5.FIL).\n      The Data Fill file has to be changed each day in order for\n      the information to be valid. (P) [Low]\n\n      Recommendation: Adjust the script to make use of more\n      automated checks. For example, date validation checks, BAI\n      end of file checks, Summarized transactions in comparison to\n      balance records checks, etc.\n\n      OMD/WTB Response: Concur, the new nightly load which will be\n      place into production by October 1, 1998, will satisfy this\n      recommendation. In addition, all future upgrades,\n      enhancements and changes will comply with this requirement.\n\n68.   Observation: The Data Dictionary documentation of the date\n      last altered does not seem to be working properly. A Data\n      Dictionary copy was obtained from the Billings and\n      Collection Branch and from the Developers. The contents of\n      the BCB document were empty as of 11/8/96, but the "date\n      last altered" shows 9/16/96 on the Developers copy. If the\n      date last altered does not function correctly, this may\n      present serious documentation issues as it will not be known\n      if the most current version is being worked with. (P, PO)\n      [Low]\n\n      Recommendation: Review the settings for the date last\n      altered to ensure it is properly functioning.\n\n      OMD/WTB Response: Concur, the Collections Team has been\n      tasked to review the settings for the date last altered to\n      ensure it is properly functioning. Review to be performed\n      by July 31, 1998.\n\n69.   Observation: The Data Dictionary and Data Entities Listing\n      contained many loose ends. Sources were not shown on\n      diagrams, elements were not used, and much of the individual\n      element documentation was not considered complete. (P, PO,\n                                44\n\x0c      SDLC) [Low]\n\n      Recommendation: The Data Dictionary and Data Entities\n      Listing should be reviewed and cleaned up to reflect the\n      system as it exists, delete obsolete elements, and ensure\n      elements are fully documented.\n\n      OMD/WTB Response: Concur, the Data Dictionary and Data\n      Entities Listing are dynamic documents which over the past\n      year the Collections Team has been updating to reflect the\n      current system. Additionally, when a software update has\n      been successfully tested and accepted by BCB these documents\n      are updated to reflect the additions, changes, and/or\n      modifications.\n\n70.   Observation: The Data Dictionary and Data Entities Listing\n      are not normalized. Our review identified several instances\n      in which the exact same field element was presented numerous\n      times. (P, SDLC) [Low]\n\n      Recommendation: Conduct an analysis to determine if data\n      elements and data entities can be further reduced.\n\n      OMD/WTB Response: Concur, a feasibility study will be\n      conducted in the FY 1999 to reduce data elements and data\n      entities.\n\n71.   Observation: The Auction Application passes along a\n      significant amount of information to the Collection System.\n      In some cases, the same information is stored on both the\n      Auction Application Database and the Collection System\n      Database, resulting in redundant amounts of data. (PI) [Low]\n\n      Recommendation: Review the interfacing between the Auction\n      Application and the Collection System to streamline the\n      dataflows and only store the necessary information in one\n      system.\n\n      OMD/WTB Response: Concur, a review shall be conducted in\n      order to streamline the dataflows and only store the\n      necessary information in one system. The review shall be\n      completed by September 30, 1998. We hope to minimize data\n      redundancy to the maximum extent within security\n      constraints. So long as we can communicate with feeder\n      systems, the revenue/collection system should hold as little\n      unnecessary data as possible.\n\nInternal Control Issues Affecting Segregation of Duties\nAnd Compromise of Controls\nSegregation of Duties internal controls help to ensure that no\none person has the ability to facilitate or process in all\n                                45\n\x0caspects of a system. This helps to ensure that only authorized\nactivities happen in an application or a system. The compromise\nof the segregation of duty controls can allow for exposure to\nunauthorized activities that may be at the detriment of the\nCommission in a financial or regulatory manner.\n\n72.   Observation: BCB personnel responsible for the daily\n      collection activities may also initiate refunds related to\n      those same activities. While there is a formal review and\n      approve process in place, the reviewers and approvers are\n      also performing daily collection activities and are\n      responsible for reviewing those daily activities. [High]\n\n      Recommendation: Define a Business Process that segregates\n      the refund function from the BCB personnel.\n\n      OMD/WTB Response: Concur, since all checks, credit card\n      transactions, and wire transfers are handled through the\n      lockbox facility, we believe that the processing of properly\n      authorized refunds is adequate. Under RAMIS the workflow\n      analysis and the subsequent business process re-engineering\n      will address separation of duties.\n\n73.   Observation: Credit card numbers of customers paying for\n      fees and other matters with their credit cards are\n      maintained on the Server with no encryption in place. FMS\n      allows the use of credit cards as long as the credit card\n      numbers are not maintained in a database. (S) [High]\n\n      Recommendation: Remove the credit card numbers from the\n      Collection Database or work with FMS to determine if FCC can\n      instead encrypt the credit card numbers in the database.\n\n      OMD/WTB Response: Concur, the Collections Team is actively\n      working with the U.S. Treasury and Mellon Bank to develop a\n      credit card system for the FCC. All credit card numbers,\n      those already in the Collections System as well as those to\n      be in-put into the system, will be protected following U.S.\n      Treasury rules, policies, and guidelines. This credit card\n      program will migrate to RAMIS.\n\n74.   Observation: Segregation of duties between refund of auction\n      payments, daily cash application, and daily reconciliation\n      of Certificates of Deposit has room for improvement.\n      [Medium]\n\n      Recommendation: Define a business process that segregates\n      the reconciliation of the Certificates of Deposit, the\n      refund execution of auction payments, the cash application\n      process, and the reconciliation of Bank Statements.\n\n      OMD/WTB Response: Concur, the RAMIS workflow analysis and\n                                46\n\x0c      the subsequent business process re-engineering will address\n      separation of duties. (3rd Quarter 1999)\n\n75.   Observation: Programming standards do not exist for the\n      programmers of the Collection System. (P, PO) [Medium]\n\n      Recommendation: Implement and enforce the use of standard\n      programming procedures from the existing Developers Company\n      guidelines or other acceptable guidance.\n\n      OMD/WTB Response: Concur, over the past year the COTR and\n      TPOC have implemented and enforced the use of standard\n      programming procedures by the Collections Team programmers.\n\n76.   Observation: Customers credit card numbers are stored in the\n      Collection System Database. (S) [High]\n\n      Recommendation: Credit card numbers should be secured in the\n      tightest manner possible, which would include strong\n      encryption and strong access controls. Implement the strong\n      encryption techniques and access controls to help prevent\n      unauthorized access and/or use of customer credit card\n      numbers.\n\n      OMD/WTB Response: Concur, the Collections Team is actively\n      working with the U.S. Treasury and Mellon Bank to develop a\n      credit card system for the FCC. All credit card numbers,\n      those already in the Collections System as well as those to\n      be in-put into the system, will be protected following U.S.\n      Treasury rules, policies, and guidelines. This credit card\n      program will migrate to RAMIS.\n\n77.   Observation: Data Entity labeled CONFIDENTIAL_PAYMENT could\n      be indicative of surreptitious activities. It is not a\n      normal financial application feature. (S) [High]\n\n      Recommendation: Delete this data entity.\n\n      OMD/WTB Response: Concur, we will review the labelling, and\n      if it is appropriate we will delete this data entity. The\n      review will be accomplished by July 31, 1998.\n\n78.   Observation: Sybase roles and responsibilities have an\n      excessive number of userids assigned to the sa_role (13),\n      sso_role (10), sybase_ts_support role (4). (S) [Medium]\n\n      Recommendation: Implement a periodic review procedure to\n      determine whether the userids assigned these more powerful\n      Sybase functions are still necessary and that the access is\n      appropriately authorized.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n                                47\n\x0c      Team DBA has met with the COTR and TPOC on a quarterly basis\n      to determine whether the userids assigned to the Sybase\n      functions are still necessary and that the access is\n      appropriately authorized. New userids must go through the\n      TPOC and COTR for authorization.\n\n79.   Observation: Until recently, software peer reviews had not\n      been used in the development of the software. The\n      establishment of these reviews occurred such a short time\n      ago that the effectiveness is unknown. (P, SDLC) [Low]\n\n      Recommendation: The Commission should periodically review\n      the results of the software peer review process to ensure\n      that it been effectively implemented.\n\n      OMD/WTB Response: Concur, as a part of the RAMIS SOW, peer\n      reviews will be required as part of the quality assurance\n      function. (2nd Quarter FY 1999)\n\n80.   Observation: Some of the developers on the project are\n      following informal programming standards. (P, SDLC)\n      [Medium]\n\n      Recommendation: The Commission should ensure that Collection\n      System contractors implement either a government provided\n      programming standard or their corporate programming\n      standards.\n\n      OMD/WTB Response: Concur, The ITC\'s emphasis is being placed\n      on the development of FCC programming standards for each\n      language. Changes in ITC contracts for Sybase, PowerBuilder\n      and web support staff now being made will permit these\n      contractors to work with FCC staff to develop programming\n      standards for the basic languages in use at the FCC. These\n      standards will be promulgated and their use by PSC staff\n      verified.\n\n      FCC published standards or COTS Contractor standards will be\n      used for RAMIS.\n\n81.   Observation: The project did not have a problem report with\n      the associated documentation that would indicate a formal\n      change management process. (I, P, SDLC) [Medium]\n\n      Recommendation: The project needs to implement a change\n      control process that is formalized with documentation and\n      approval processes.\n\n      OMD/WTB Response: Concur, the COTR and TPOC, in coordination\n      with the Contractor\'s Program Manager, have implemented a\n      formalized change control process. This process requires a\n      "Change Request" document be initiated by the Requestor and\n                                48\n\x0c      be submitted to the COTR for approval by the COTR and TPOC\n      before the programmers make any changes.\n\n      The FCC is pursuing improvement to the management of all ADP\n      development projects on several paths. The first is by\n      defining and implementing an FCC SDLC. The second is\n      through the ITC providing increased support to programming\n      task staff for the management of requirements definition,\n      changes to requirements, system releases, hardware and\n      software configuration changes/upgrades etc. In support of\n      this effort ITC recently purchased the CAST Workbench.\n      PVCS, PowerSite and other products that can support this\n      effort are under evaluation. Thirdly, ITC is establishing a\n      more defined and controlled process through which\n      releases/version are moved from development to\n      test/acceptance and implementation under the control of FCC\n      staff.\n82.   Observation: The project could not show any evidence of a\n      cohesive project plan. (P, SDLC) [Low]\n\n      Recommendation: The project manager for this program should\n      either be trained or relieved. In either case, a cohesive\n      project plan should be developed to address the activities\n      that are projected during the course of the effort.\n\n      OMD/WTB Response: Concur, the Collections Team has been\n      reorganized and the current Project Manager is a fully\n      qualified Sybase and Powerbuilder programmer. In addition,\n      there has been a staff transition within the Collection Team\n      which has added qualified Powerbuilder 5.0 programmers and a\n      management analyst which strengthen the credentials of the\n      team. OMD/WTB has worked with the Collections Team Project\n      Manager to develop a cohesive project plan which address\n      activities that are projected during the course of the\n      effort. Specifically, these activities focus on the\n      production modules which must be maintained for daily\n      operations, the remaining modules will be addressed by\n      RAMIS.\n\n83.   Observation: A Test Plan does not exist.   (SDLC) [Low]\n\n      Recommendation: The project should formalize the testing\n      process. It should address, at the minimum, unit testing,\n      integration testing, performance testing, and government\n      acceptance testing.\n\n      OMD/WTB Response: Concur, the Collections Team has already\n      instituted a segregated test environment with formalized\n      testing procedures and "push-pull" approval requirements.\n      In addition, the Collections Team maintains a library of all\n      test plans.\n                                49\n\x0c84.   Observation: Unprofessional naming conventions were\n      identified in the review of the Sybase Stored procedures\n      which make reference to "junk" or individual programmers\n      names. (P) [Low]\n\n      Recommendation: Standard naming conventions with\n      professional naming should be used for labeling of all\n      stored procedures. Meaning of the stored procedure should\n      be entailed within the naming convention used.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been utilizing standard naming conventions with\n      professional naming for labeling of all stored procedures to\n      include a definition of the stored procedure.\n\n85.   Observation: Review of the stored procedures yielded several\n      procedures which would seem to be obsolete since the coding\n      of the stored procedure did not cause an action of any kind\n      to occur on a Collection System Table. (P) [Low]\n\n      Recommendation: Standard change control procedures help to\n      prevent retention of obsolete code and should be employed.\n      Additional controls in the form of periodic reviews for\n      obsolete code and scrubbing of the system are also\n      encouraged.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been utilizing standard change control procedures\n      in order to prevent retention of obsolete code. In\n      addition, the Collections Team has been tasked to review and\n      delete obsolete code within the Collections System program\n      modules. The review of existing code will be completed by\n      December 31, 1998.\n\n      In addition, the Collections Team has instituted a quarterly\n      code review to maintain a configuration management system\n      for the Collections System program code.\n\n86.   Observation: Stored Procedures variables are being declared\n      without an appropriate comment. Variables need to be\n      defined and identified with a comment to assist the\n      maintainer of the Stored Procedure in understanding the\n      value and relationship of the variable. Ensure that the\n      program code review procedures include steps to verify\n      compliance with the coding standards manual. (P) [Low]\n\n      Recommendation: Develop a coding   standards manual mandating\n      that all variables within Stored   Procedures contain comments\n      that describe the purpose of the   variable. Update all\n      Stored Procedures to comply with   the coding standards\n      manual. Ensure that the program    code review procedures\n                                50\n\x0c      include steps to verify compliance with the coding standards\n      manual.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been utilizing standard naming conventions with\n      professional naming for labeling of all stored procedures to\n      include a definition of the stored procedure. The\n      Collections Team has been tasked to develop a coding\n      standards manual with a requirement to update all Stored\n      Procedures to comply with the coding standards manual.\n\n87.   Observation: The underlying behavior of a Stored Procedure\n      is not being expressed in plain language. Maintainers\n      should find, within the header comments of Stored\n      Procedures, plain language that describes the function and\n      flow of the Stored Procedure. (P) [Low]\n\n      Recommendation: Develop a coding standards manual mandating\n      that all Stored Procedures contain, within the header\n      comments, plain language that expresses the behavior of the\n      Stored Procedure. Update all Stored Procedures to comply\n      with the coding standards manual. Ensure that the program\n      code review procedures include steps to verify compliance\n      with the coding standards manual.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been utilizing standard naming conventions with\n      professional naming for labeling of all stored procedures to\n      include a definition of the stored procedure. The\n      Collections Team is developing a coding standards manual\n      which includes procedures to ensure that all Stored\n      Procedures contain, within the header comments, plain\n      language that expresses the behavior of the Stored\n      Procedure. The completed manual is due by March 31, 1999.\n\n88.   Observation: Some Stored Procedures do not contain comments\n      in code to help in the understanding of the code. Comments\n      within the body of the Stored Procedure need to exist for\n      identify logic flow and function to assist maintainers in\n      the change. (P) [Low]\n\n      Recommendation: Develop a coding standards manual mandating\n      that all Stored Procedures contain comments in code to\n      facilitate understanding the algorithm reflected in the\n      software. Update all Stored Procedures to comply with the\n      coding standards manual. Ensure that the program code review\n      procedures include steps to verify compliance with the\n      coding standards manual.\n\n      OMD/WTB Response: Concur, the Collections Team will develop\n      a coding standards manual mandating that all Stored\n      Procedures contain comments in code to facilitate\n                                51\n\x0c      understanding the algorithm reflected in the software.\n      Updates to all Stored Procedures will comply with the coding\n      standards manual. The completed manual is due by March 31,\n      1999.\n\n89.   Observation: A standard layout format for Stored Procedures\n      could not be identified. (P) [Low]\n\n      Recommendation: Develop a coding standards manual mandating\n      that all Stored Procedures conform to a standard layout\n      format and ensure that the program code review procedures\n      include steps to verify that Stored Procedures conform to\n      the standard layout format in the coding standards manual.\n\n      OMD/WTB Response: Concur, the Collections Team will develop\n      a coding standards manual mandating that all Stored\n      Procedures conform to a standard layout format and ensure\n      that the program code review procedures include steps to\n      verify that Stored Procedures conform to the standard layout\n      format in the coding standards manual. The completed manual\n      is due by March 31, 1999.\n\n90.   Observation: A consistent naming convention for Stored\n      Procedures could not be identified. (P) [Low]\n\n      Recommendation: Develop a coding standards manual mandating\n      that all Stored Procedures conform to a standard naming\n      convention. Ensure that the program code review procedures\n      include steps to verify that Stored Procedures conform to a\n      standard naming convention as specified in the coding\n      standards manual.\n\n      OMD/WTB Response: Concur, the Collections Team will develop\n      a coding standards manual mandating that all Stored\n      Procedures conform to a standard naming convention. Ensure\n      that the program code review procedures include steps to\n      verify that Stored Procedures conform to a standard naming\n      convention as specified in the coding standards manual. The\n      completed manual is due by March 31, 1999.\n\n91.   Observation: The Collection System Payments Narrative\n      Processes Breakdown documentation has numerous clerical\n      errors, and lists many processes that were missing or\n      unaccounted for. (P) [Low]\n\n      Recommendation: The Commission should direct the\n      contractor\'s developing the Collection System to complete\n      the documentation of the existing processes listed in the\n      Payment Process breakdown and make them available to all\n      users.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n                                52\n\x0c      Team has been documenting the entire Collections System\'s\n      modules and processes, including the Payment Process\n      breakdown. The completed manual will be available for all\n      users in the second quarter of FY 1999.\n\n92.   Observation: The Collection System Payment Processes do not\n      use a standard format, and do not have clear cut step by\n      step procedures. In addition, insufficient information is\n      provided within the content of the process described. (P)\n      [Low]\n\n      Recommendation: Establish a standard format that all\n      processes will be drafted by. Include in each process the\n      objective of the process, why the process is being done, who\n      is responsible for the completion of the process, when it is\n      to be done, step by step procedures on how the process is to\n      be done, how the process is verified and validated, and what\n      the user does with the completed transaction.\n\n      OMD/WTB Response: Concur, the Collections Team, COTR and\n      TPOC have been establishing a standard format for all\n      Collections System processes. This includes the objective\n      of the process, why the process is being done, who is\n      responsible for the completion of the process, when it is to\n      be done, step by step procedures on how the process is to be\n      done, how the process is verified and validated, and what\n      the user does with the completed transaction.\n\n93.   Observation: Non standard banking terminology was used in\n      the drafting of the processes, which could be\n      misinterpreted. (P) [Low]\n\n      Recommendation: Use standard banking terminology in the\n      drafting of all Collection System Payment Processes.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been using standard banking terminology in the\n      drafting of all Collection System Payment Processes.\n\n94.   Observation: Numerous processes have been drafted containing\n      little or no information at all. (P) [Low]\n\n      Recommendation: Establish a standard format that all\n      processes will be drafted by. Include in each process all\n      information required to complete that process.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has been working with the COTR and TPOC to establish a\n      standard format for drafting all processes.\n\nProgramming Related Matters\n\n                                53\n\x0cProgramming issues are systematic of not having or adhering to a\nSystem Development Life Cycle (SDLC) methodology. Without the\nproper controls built into the programming methods, programming\ncode, and programming processes, the entire application can be\ncompromised and the desired internal controls structures can also\nbe more easily compromised. This leads to more costs for the\nCommission to maintain the Collection System in the long run\nwithout adherence to proper programming standards. New releases\nof software can also make the maintainability of the Collection\nSystem more difficult as the application may have to be\nre-written each time a new operating system or database software\nrelease is implemented due to the way in which the program code\nhas been effected and documented. This could result in\ntremendous costs to the Commission.\n\n95.   Observation: The Data Dictionary contained several instances\n      of non-professional language. (PO, SDLC) [Low]\n\n      Recommendation: Enforce good programming standards to ensure\n      professional language is used throughout the Data\n      Dictionary.\n\n      OMD/WTB Response: Concur, over the past year the Collections\n      Team has followed good programming standards to ensure\n      professional language is used throughout the Data\n      Dictionary. The Data Dictionary will be updated on a\n      quarterly basis until convergence to RAMIS.\n\n      The ITC also accepts this recommendation. Instructions to\n      contractor project managers will be promulgated and task\n      COTRs will be shown how to verify compliance.\n\n96.   Observation: The draft user manual dated 7/3/97 was given a\n      perfunctory review. There are several areas noted in which\n      improvements could be made: Cohesiveness of the document;\n      Glossary of Terms; Reflection of the actual functionality in\n      the working environment; Reflection of the modules in actual\n      use; Financial Terminology. These comments are in addition\n      to the Collection System Users Guide Review Report provided\n      by the Billing and Collections Branch to the system\n      developers which states that the application is not in\n      compliance with OMB Circular A-127. [Low]\n\n      Recommendation: A re-write of the user manual should be\n      performed, if the application is to be retained to take into\n      account the above items.\n\n      OMD/WTB Response: New manuals and training guides will be\n      prepared for the new System.\n\n97.   Observation: All contract programming staff interviewed were\n      new (\xe2\x89\xa4 3 months) to the Collections System project. This\n                                54\n\x0c      lack of corporate history can be overcome through effective\n      management of the project. [Low]\n\n      Recommendation: The Commission take steps (e.g., establish\n      key personnel classifications) to ensure that changes to the\n      staff be in small increments allowing for the transfer of\n      corporate knowledge.\n\n      OMD/WTB Response: Concur, the ITC accepts this\n      recommendation and will pursue with Acquisitions staff the\n      development of appropriate contract language to encourage\n      the contractor firm to work towards this goal.\n\n      Employee retention will be an issue for the new system as\n      well, particularly since only Civil Service temporary\n      appointments are available.\n\n98.   Observation: The schedules that were identified for\n      enhancements or development did not reflect any reviews or\n      acceptance testing. (SDLC) [Low]\n\n      Recommendation: Schedules should be developed to include\n      developmental lifecycle concepts of formal reviews.\n\n      OMD/WTB Response: Concur, current and future tasks will\n      include schedules to include developmental lifecycle\n      concepts of formal reviews.\n\n      The SDLC under development will provide for and define the\n      needed review phases and efforts. Responsibilities for\n      directing and participating in these efforts will also be\n      defined.\n\n99.   Observation: Formal acceptance criteria could not be\n      identified. (SDLC) [Low]\n\n      Recommendation: Formal acceptance criteria should be\n      developed for each task. Without formal acceptance criteria\n      the developer has little or no direction as it relates to\n      the end product.\n\n      OMD/WTB Response: Concur, over the past year the Collection\n      Team has implemented formal acceptance criteria and\n      procedures for software in-products. Under the current\n      Collection System and RAMIS, acceptance testing criteria\n      will be included in the Project Test Plan.\n\n      The ITC is examining alternatives that might improve the\n      acceptance process by employing a separate contractor to\n      develop acceptance criteria, develop test data and test\n      plans, and to participate along with FCC staff in the\n      acceptance testing process.\n                                55\n\x0c100. Observation: Of the weekly and monthly status reports\n     provided, there does not seem to be a logical progression\n     and resolution of tasks as they are assigned or discussed.\n     Items which are scheduled for the next reporting period are\n     not always addressed as to their status in the next\n     reporting period. (PI) [Low]\n\n     Recommendation: In presenting the status reports, The\n     contractor should be directed to indicate the resolution of\n     the items indicated as planned to be worked on during the\n     reporting period at hand.\n\n     OMD/WTB Response: Concur, over the past year the status\n     reports, provided to the COTR include resolution of the\n     items indicated as planned to be worked on during the\n     reporting period at hand.\n\n     The ITC also accepts this recommendation. This subject will\n     be discussed at the monthly COTR meetings and task COTRs\n     will be encouraged to require their contractors to comply.\n\n101. Observation: Vague narrative was contained in a monthly\n     status report wherein the Projected Completion Date was\n     stated as indefinite. [Low]\n\n     Recommendation: The Commission should direct Collection\n     System contractor\'s to include only specific language in\n     official documents.\n\n     OMD/WTB Response: Concur, the ITC accepts this\n     recommendation as it applies to all PSC work. This subject\n     will be discussed at the monthly COTR meetings and task\n     COTRs will be encouraged to require their contractors to\n     comply.\n\n102. Observation: There is no standardized header format and no\n     overall standardized format for all C programs and shell\n     scripts reviewed. [Low]\n\n     Recommendation: Establish a standardized header format for\n     all C programs and shell scripts.\n\n     OMD/WTB Response: Concur, Changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\n103. Observation: There are no comments written within the code\n     for C programs and shell scripts. Functions are not\n                               56\n\x0c     identified or expressed in plain language.   [Low]\n\n     Recommendation: Include comments in the code that identify\n     the individual functions in plain language, and comments\n     that describe what function the code is executing.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\n104. Observation: There are no comments in the header to describe\n     the code nor identify for C programs and shell scripts\n     modifications to the code as to who made the modification\n     and when. [Low]\n\n     Recommendation: Develop and implement a standardized header\n     format for C programs and shell scripts that will include\n     comments in the header to describe the code, and identify\n     modifications to the code as to who made the modification\n     and when.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\n105. Observation: Functions have no headers, no comments, or\n     underlying behavior statements to assist in the maintenance\n     of the code for C programs and shell scripts. [Low]\n\n     Recommendation: Develop and implement a standardized header\n     format that will include headers, comments in the header,\n     and underlying behavior statements to assist in the\n     maintenance of the code.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\n106. Observation: There are no variable or constant declaration\n     statements in the C programs or shell scripts. [Low]\n\n     Recommendation: All programs contain sufficient statements\n     and/or comments as to how variables and constants are being\n                               57\n\x0c     used throughout the code for Powerbuilder programs.\n\n     OMD/WTB Response: Concur, the ITC accepts this\n     recommendation. Changes in ITC contracts for Sybase,\n     PowerBuilder and web support staff now being made will\n     permit these contractors to work with FCC staff to develop\n     programming standards for the basic languages in use at the\n     FCC. These standards will be promulgated and their use by\n     PSC staff verified.\n\n107. Observation: A standardized naming convention is undefined\n     for C programs and shell scripts. [Low]\n\n     Recommendation: Establish a standard naming convention that\n     all C programs and shell scripts will be drafted by.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\n108. Observation: There is no standardized header format and no\n     overall standardized format for all Powerbuilder programs\n     and scripts reviewed. [Low]\n\n     Recommendation: Develop and implement one overall standard\n     format and a standardized header format and create all\n     Powerbuilder programs and scripts in accordance with the\n     agreed upon formats.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\n109. Observation: There are no comments in the header to describe\n     the code and identify modifications to the code as to who\n     made the modification and when for the Powerbuilder\n     programs. [Low]\n\n     Recommendation: Develop and implement a standardized header\n     format that will include comments in the header to describe\n     the code, and identify modifications to the code as to who\n     made the modification and when for the Powerbuilder\n     programs.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n                               58\n\x0c     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\n110. Observation: There are no comments written within the code\n     for Powerbuilder programs. Functions are not identified or\n     expressed in plain language. [Low]\n\n     Recommendation: Include comments in the code that identify\n     the individual functions in plain language, and comments\n     that describe what function the code is executing for\n     Powerbuilder programs.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\n111. Observation: Functions have no header, no comments, or\n     underlying behavior statements to assist in the maintenance\n     of the code for Powerbuilder programs. [Low]\n\n     Recommendation: Develop and implement a standardized header\n     format that will include headers, comments in the header,\n     and underlying behavior statements to assist in the\n     maintenance of the code for Powerbuilder programs.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\n112. Observation: There are no variable or constant declaration\n     statements in the programs or scripts for Powerbuilder.\n     [Low]\n\n     Recommendation: All Powerbuilder programs contain sufficient\n     statements and/or comments as to how variables and constants\n     are being used throughout the code.\n\n     OMD/WTB Response: Concur, the ITC accepts this\n     recommendation. Changes in ITC contracts for Sybase,\n     PowerBuilder and web support staff now being made will\n     permit these contractors to work with FCC staff to develop\n     programming standards for the basic languages in use at the\n     FCC. These standards will be promulgated and their use by\n     PSC staff verified.\n                               59\n\x0c113. Observation: A standardized naming convention for\n     Powerbuilder programs is undefined. [Low]\n\n     Recommendation: Establish a standard naming convention that\n     all Powerbuilder programs and scripts will be drafted by.\n     Include the identification of the naming convention in the\n     Powerbuilder program or script.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified. RAMIS will establish a standard\n     naming convention that all Powerbuilder programs and scripts\n     will be drafted by. Include the identification of the\n     naming convention in the Powerbuilder program or script.\n\n114. Observation: Blocks of code exist that contain no comments\n     as to their function, no headers, no naming convention, no\n     declaration statements, or statements that assist in the\n     maintenance of the code for Powerbuilder programs. [Low]\n\n     Recommendation: Develop and implement one overall standard\n     format and a standardized header format and create all\n     Powerbuilder programs and scripts in accordance with the\n     agreed upon formats. Include comments in the code that\n     identify the individual functions in plain language, and\n     comments that describe what function the code is executing.\n     Establish a standard naming convention that all programs and\n     scripts will be drafted by. Include the identification of\n     the naming convention in the program or script.\n\n     OMD/WTB Response: Concur, changes in ITC contracts for\n     Sybase, PowerBuilder and web support staff now being made\n     will permit these contractors to work with FCC staff to\n     develop programming standards for the basic languages in use\n     at the FCC. These standards will be promulgated and their\n     use by PSC staff verified.\n\nProcess Improvement Matters\n\nDuring the review, several areas were noted in which the\nprocesses, if engineered in a different manner, could result in\nmore efficient and less costly operations for the Commission.\nWhen identifying areas for process improvement, the ideal basis\nis to concentrate on single sources of information, singles\nsources of input, and single sources of processing. So as not to\ncause redundancy, inefficiency, and result in more costs to the\nentities involved.\n\n                               60\n\x0c115. Observation: During the review of functionality requirements\n     and system requirements, it was evident that not all users\n     of the Collection System information had been involved\n     during the design of the Collection System. In order to\n     design effective accounting and management information\n     systems, it is imperative that all users have input into the\n     process in order for the system to become a functional\n     system used throughout the Commission. (SDLC) [Low]\n\n     Recommendation: Revise development procedures to ensure the\n     opportunity for all users communities to be involved in the\n     design and testing of the application.\n\n     OMD/WTB Response: Concur, RAMIS will revise development\n     procedures to ensure the opportunity for all users\n     communities to be involved in the design and testing of the\n     application. The Project Plan will include tasks for\n     workflow analyses, data and reporting needs, and focus\n     groups about the new system. The steering committees should\n     consist of representatives from all of the Bureaus and\n     Offices who are stakeholders.\n\n116. Observation: While significant volumes of information on\n     user requirements exist, there is no one cohesive user\n     requirement document or formal procedures for tracking to\n     ensure implementation or disposition of a user requirement.\n     In addition, the user requirements were never turned into\n     functional requirements and placed into more programmable\n     requirements, resulting in the achievement of only 30% of\n     the intended functionality. Without the documented user\n     requirements and functional requirements, the business\n     process improvements are never programmed and therefore the\n     automation does not help make the processes more efficient.\n     (SDLC) [Low]\n\n     Recommendation: When undertaking development efforts, a full\n     user requirements and functional requirements analysis\n     should be performed in order to prepare the requirements\n     analysis document from which the program plan maybe\n     generated. In addition, a formal method for tracking the\n     user requirements through to implementation or disposition\n     should be implemented.\n\n     OMD/WTB Response: Concur, the Project Manager recommends\n     that, to the extent possible, all procedures and processes\n     be changed to use the capabilities of the COTS package\n     selected. The requirements analyses will provide the basis\n     for developing the RFP, identifying BPR areas, developing\n     the OCD tests, and developing the evaluation criteria.\n\n117. Observation: The Collection System Wireless department users\n     have a need for intraday information from Mellon Bank during\n                               61\n\x0c     auction programs. The requirements as defined require the\n     use of another form (Form 159) to be input as wires and\n     checks are received instead of using currently available\n     technology. [Low]\n\n     Recommendation: Require electronic intraday bank reporting\n     be used with any Collection System put in place at the FCC.\n\n     OMD/WTB Response: Concur, a requirement will be included in\n     the RFP that either unique data records be imported while\n     the system is in production or that remote entry be\n     available.\n\n118. Observation: At the time our review was completed, plans\n     were being considered in which three separate data feeds\n     would be required from Mellon bank. [Low]\n\n     Recommendation: The Commission should recognize the risks\n     associated with duplicate data feeds and consider\n     eliminating this practice.\n\n     OMD/WTB Response: Concur, this will be considered under the\n     RAMIS "Requirements Analysis". Further, Nortridge (or other\n     loan management system data) will be treated as a subsidiary\n     ledger with daily, weekly and monthly updates to the central\n     revenue system.\n\n119. Observation: The Collection System requirements did not\n     automate the information for returned checks (also known in\n     the banking industry as returned items). [Low]\n\n     Recommendation: Returned items information should be\n     returned electronically from Mellon Bank in order to\n     automatically populate the Collection System and take the\n     automated appropriate actions as a result of the returned\n     items.\n\n     OMD/WTB Response: Concur, the new system will require that\n     returned check data be included in the electronic feed from\n     the servicing bank.\n\n120. Observation: FCC has no common data dictionary for\n     programming efforts. (PO) [Low]\n\n     Recommendation: Develop a Commission-wide common data\n     dictionary, which will allow for more efficient programming\n     efforts and sharing on information among applications. This\n     common data dictionary should also make use of standardized\n     data elements, data fill, and data interoperability.\n\n     OMD/WTB Response: Concur, RAMIS will develop a Commission-\n     wide common data dictionary, which will allow for more\n                               62\n\x0c     efficient programming efforts and sharing on information\n     among applications. This common data dictionary will also\n     make use of standardized data elements, data fill, and data\n     interoperability.\n\n121. Observation: The developer has not adopted an engineering\n     approach to developing software. (SDLC) [Low]\n\n     Recommendation: The contractor should be directed to\n     implement software development standards. In addition the\n     contractor should train their developers on how to\n     professionally develop software.\n\n     OMD/WTB Response: Concur, over the past year the Collections\n     Team programmers have implemented and followed software\n     development standards. The programmers have been\n     professionally developing software for the Collections\n     System.\n\n122. Observation: The contractor is not engineering this system.\n     This results in the project having no characteristics of an\n     engineering effort. The project has separated from the\n     requirements and is moving forward reacting to the current\n     issues. [Low]\n\n     Recommendation: No new work requirements should be developed\n     until an appropriate or formalized engineering structure is\n     established.\n\n     OMD/WTB Response: Concur, under RAMIS new work requirements\n     will be developed following an established or formalized\n     engineering structure.\n\n123. Observation: The costs of the existing Collection System are\n     far greater than the costs of a COTS package implementation.\n     In addition, the existing Collection System contains less\n     than 30% of the desired functionality whereas the COTS\n     packages contain 80% to 90% of the desired functionality.\n     (SDLC) [High]\n\n     Recommendation: Abandon the in-house developed Collection\n     System solution and migrate towards a COTS package.\n\n     OMD/WTB Response: Concur, however, the current system must\n     be maintained until a COTS solution is identified, tested\n     and implemented.\n\nPolicy and Procedures Issues\n\nThese comments relate to specific instances in which adherence to\na specific policy was not followed or in which a specific manual\nprocess is followed for which no formal documented policy exists.\n                               63\n\x0c124. Observation: Adherence to a System Development Life Cycle\n     (SDLC) methodology from system design to system\n     implementation was not apparent. Documents expected through\n     the adherence to any type of SDLC were neither prepared nor\n     readily available. Use of a SDLC methodology will help\n     ensure the system is properly designed (whether Commercial\n     Off the Shelf (COTS) or in-house developed (IHD)),\n     documented, programmed, implemented, and users are properly\n     trained. This also helps to ensure the system is\n     maintainable with the minimum amount of resources. [Low]\n\n     Recommendation: Whether contractor support or FCC personnel,\n     use of a SDLC should be mandatory and measured to ensure a\n     SDLC is being used.\n\n     OMD/WTB Response: Concur, an FCC SDLC will be developed.\n\n125. Observation: During the data integrity review, many\n     transactions with payment type code >ZZZ= or >ZZZZ= were\n     noted. No formal procedures for reclassifying these\n     transactions to their appropriate payment type code exist.\n     Without the proper payment type code classification, the\n     correct service type has not been identified. [Low]\n\n     Recommendation: Establish formal processing procedures for\n     reclassifying AZZZ= and >ZZZZ= transactions to their\n     appropriate payment type code.\n\n     OMD/WTB Response: Concur, formal processing standards shall\n     be developed by, or before, October 31, 1998.\n\n126. Observation: The transmission between the FCC and Mellon\n     Bank is over open and clear telephone lines without any\n     encryption. [High]\n\n     Recommendation: Implement encryption technology for the\n     Mellon Bank transmission.\n\n     OMD/WTB Response: Concur, the implement of encryption\n     technology for the servicing bank transmission will be\n     reviewed as part of RAMIS.\n\nSDLC - Life Cycle Development Issues\n\nOMB Guidance specifically recommends adherence to a System\nDevelopment Life Cycle methodology, whether for newly developed\nor for the enhancements of existing applications. Specific\ncomments regarding the adherence to any SDLC methodology are\nindicated to emphasize the importance of the need for adherence\nto a SDLC. Without the use of and adherence to a SDLC\nmethodology, the end application may result in pieces which are\n                               64\n\x0cnot easily maintainable, are costly to maintain, and which do not\nfunction as desired by the\n\n127. Observation: Throughout the evolution of the Collection\n     System and the processes used by Mellon Bank, the Commission\n     has failed to fully explore commercially available options.\n     In addition, a feasibility analysis of available options has\n     not been performed. [Low]\n\n     Recommendation: A documented feasibility analysis should be\n     performed any time a new system or application is being\n     considered. The Commission should ensure that any\n     methodology used to develop Commission information systems\n     includes a requirement for conducting a feasibility\n     analysis.\n\n     OMD/WTB Response: Concur, the FCC has already decided to\n     develop and implement a new system based upon a COTS\n     package. Future information system enhancements will follow\n     a SDLC which includes feasibility analyses.\n\n128. Observation: The User Manual reads like an automated paper\n     process. The Collection System did not automate or make\n     more efficient the business processes, but instead placed\n     those manual processes on the computer. [Low]\n\n     Recommendation: The business processes for Money Collection\n     should be reviewed and streamlined in order to make the\n     process less time consuming, more accurate, and more\n     efficient. Moving towards a more COTS-oriented package will\n     not prove beneficial unless the business processes\n     themselves are evaluated and improved.\n\n     OMD/WTB Response: Concur, OMD will review the business\n     processes for Money Collection. This review will be\n     conducted in unison with the development of the new system.\n\n\n\n\n                               65\n\x0cF.   DETAILED RECOMMENDATIONS PHASE II\n\n     The Ernst & Young results of the Phase II portion of the\nreview are encompassed in this detailed recommendations section.\nErnst & Young\'s complete report is included in its entirety as\nAppendix A of this report.\n\n     In summary, the E&Y report noted the FCC did not provide\nsource data for fifty-two (52) of the one-thousand six-hundred\nninety-five (1695) transactions selected. There were seven-\nhundred eleven (711) instances in which the data contained in the\ncollections system differed from the source documents provided,\nmost of which related to discrepancies in non-monetary fields.\nThe differences include discrepancies in dates of payment\nreceipt, payor names and addresses, amounts, FCC fee control\nnumbers, FCC account numbers, payment type codes and payment\nmethods. Of the seven-hundred eleven (711) instances noted,\nthirty-three (33) instances were sample items totaling\napproximately $39 million related to discrepancies in monetary\namounts or instances where no check or wire slip could be located\nto substantiate the transaction. One (1) item represented an\nauction-related transaction where the discrepancy between the\nbank wire and the Collection System extract totaled $87,435.\n\n     In addition, the collections system allows transaction\ninformation to be updated without necessarily creating and\nretaining an audit trail. E&Y also noted a need to reconcile\ninformation included in the data extract with amounts reflected\nin the FCC general ledger, and to reconcile the total deposits\nand disbursements in FCC cash accounts to such amounts as well.\n\n     What isn\'t stated in the E&Y report is the elongated\nduration of time incurred to obtain documents to support the\ntransactions. In addition, there is not a mention of the\nsignificant analysis time spent to determine how to agree\ndocuments, once obtained, to the transactions they are supposed\nto represent. Both of these represent the need for extensive\nimprovement in the areas of record keeping and audit trails for\ntransactions recorded in the Collection System.\n\n     Appendix A contains the detailed E&Y report as well as the\nschedules supporting their report. E&Y also included, at the\nrequest of FCC Management, recommendations on observations they\nmade during the course of the Agree-Upon Procedures. These are\nalso included in Appendix A.\n\nOMD/WTB Response: Concur, a monthly proof of cash has been\nimplemented to assure that dollars are reconciled.\n\nWe agree to make improvements in record keeping and audit trails.\n\n\n\n                               66\n\x0cG.   OVERALL CONCLUSIONS\n\n     The Commission\'s Collection System application does not meet\nOMB guidance as it relates to segregation of duties,\naccountability within the application, adequacy of preparedness\nfor contingency planning, and overall access controls. In\naddition, after over five years of development effort the\nCollection System provides less than 30% of desired\nfunctionality. The data contained in the Collection System is\nnot fully supported for dates of the transaction, payor,\naddresses, payment type codes, or other related fields. Amounts\nare supported, except for the ten thousand (10,000+) plus\nduplicated transactions contained in the database.\n\n     Based on the above, the Team recommends an abandonment of\nthe existing Collection System development effort. Funds to be\nused for development should be moved towards the selection and\nimplementation of a COTS package for processing incoming payments\nto the FCC.\n\n     Concurrent with abandonment of the existing system, overall\ncontrols should be strengthened while moving towards the new\nsystem. The Commission should: formalize the Systems Development\nLife Cycle (SDLC) process; implement proper logical and physical\nsegregation of duties; implement proper security administration\nof userids; establish formal roles and responsibilities;\nestablish logical segregation of developers from security and\napplication functions; and formalize the change management\nprocess.\n\n\n\n\n                               67\n\x0c'